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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  the  report  of  our  performance  audit  of  security  at  the  Montana  Lottery. 
The  report  contains  recommendations  for  improving  security  over  Lottery  operations. 
The  Lottery  response  is  contained  at  the  end  of  the  report. 

We  wish  to  express  our  appreciation  to  the  staff  of  the  Lottery  for  their 
cooperation  and  assistance. 

Respectfully  submitted, 

Scott  A.  Seacat 
Legislative  Auditor 
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Introduction 


In  November  1986  the  people  of  Montana  passed  Legislative 
Referendum  100  establishing  a  state  lottery.   Lottery  tickets  sales 
began  June  24,  1987  with  an  instant  scratch  game  being  the  first 
lottery  game  offered  to  the  public.  The  Lottery  has  since 
increased  the  number  of  lottery  games  by  adding  three  on-line 
lotto  games:  Powerball,  Montana  Cash  and  Tri-West  Lotto. 
Ticket  sales  for  Powerball  began  in  April  1992  replacing 
Lotto*America.   Ticket  sales  for  Montana  Cash  began  in  May 
1991.  In  February  1994,  the  Lottery  introduced  Tri-West  Lotto. 
Tri-West  Lotto  was  not  included  in  our  review  because  it  was 
not  operational  until  after  our  audit  work  was  completed. 


Section  23-7-411,  MCA  requires  the  Legislative  Auditor  to 
perform  a  comprehensive  security  audit  every  two  years  on  all 
aspects  of  Montana  Lottery  security.  This  is  the  third  security 
audit  completed  since  the  inception  of  the  Lottery  in  1987. 

We  found  many  areas  continue  to  have  sufficient  security 
controls  as  determined  during  previous  security  audits.   Areas 
with  sufficient  security  controls  include:  instant  games; 
validation  of  winning  tickets  for  instant  and  on-line  lotto  games; 
background  investigations  of  Lottery  employees;  controls  over 
instant  and  on-line  lotto  game  tickets  and  cash  at  special  events; 
destruction  of  unsold  instant  tickets;  Montana  Cash  and 
Powerball  drawings;  and  performance  appraisals  for  security- 
related  staff. 


General  Security 
Procedures 


We  identified  some  areas  where  general  security  procedures 
could  be  improved.  We  noted  security  could  be  improved  over 
the  Lottery  warehouse  and  in  the  procedures  used  in  evaluating 
test  results  for  disqualified  Montana  Cash  ball  sets. 


Maintain  the  Control 
System  Which  Limits 
Warehouse  Access 


During  our  security  audit  we  observed  employees  other  than 
security  and  warehouse  personnel  entering  the  Lottery 
warehouse.  These  employees  have  not  been  authorized 
unrestricted  access  to  the  warehouse  by  the  Lottery's  security 
department.   All  access  was  made  through  a  set  of  double-doors 
which  lead  from  the  Lottery's  office  area  directly  into  the 
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warehouse.   We  noted  an  effective  control  system  was  not  in 
place  controlling  access  through  these  doors. 

Lottery  officials  responded  to  our  concern  by  installing  new 
locks  on  the  doors  which  automatically  lock  when  the  double- 
doors  are  closed.   Officials  told  us  only  security  and  warehouse 
personnel  will  be  issued  keys  to  the  doors.   We  recommend  the 
Montana  Lottery  maintain  this  control  system  which  limits 
warehouse  access  to  authorized  employees. 


Montana  Cash  Ball  Set 
Test  Results 


To  ensure  the  integrity  of  the  Montana  Cash  drawing  and  that 
numbers  are  randomly  selected,  the  Lottery's  security 
department  has  developed  drawing  procedures  which  are 
followed  during  each  drawing.   Five  different  drawing  ball  sets 
exist  and  procedures  require  drawing  officials  to  randomly  select 
two  ball  sets  for  the  drawing.  The  ball  sets  used  to  conduct 
Montana  Cash  drawings  consist  of  ping-pong  balls  which  are 
numbered  from  one  through  thirty-seven.   Before  the  Montana 
Cash  drawing  takes  place,  drawing  officials  conduct  four  pretests 
of  the  primary  ball  set.  If  the  same  number  is  selected  three 
times,  a  fifth  pretest  is  required.  If  this  ball  comes  up  again 
during  this  test,  the  ball  set  is  disqualified  and  is  replaced  with 
the  secondary  ball  set.  Disqualified  ball  sets  are  not  eligible  for 
another  drawing  until  tested  by  the  Weights  and  Measures 
Bureau  of  the  Department  of  Commerce. 


The  Weights  and  Measures  laboratory  provides  information 
regarding  how  much  the  total  weight  of  a  disqualified  ball  set 
has  changed  and  also  provides  documentation  indicating  the 
weights  of  each  individual  drawing  ball. 

We  found  that  although  the  Lottery's  security  department  can 
determine  if  the  weight  of  an  entire  ball  set  has  changed,  it  does 
not  have  a  process  for  monitoring  the  documentation  for  the 
individual  drawing  balls  to  determine  if  the  weight  for  the  balls 
has  changed.   When  test  results  are  received  from  Weights  and 
Measures  the  documentation  is  filed  away  and  nothing  more  is 
done  with  it.   In  addition,  the  security  department  has  not 
established  a  guideline  for  acceptable  weight  ranges  for  the 
drawing  balls. 
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We  recommend  the  Montana  Lottery  create  a  guideline  for 
acceptable  weight  ranges  for  the  Montana  Cash  drawing  balls.   In 
addition,  the  Montana  Lottery  should  monitor  and  document  the 
information  provided  by  Weights  and  Measures  to  determine  if 
weights  fall  within  this  acceptable  weight  guideline. 


Computer  Security 
Controls 


Computer  security  controls  protect  assets  and  limit  losses  from 
three  types  of  basic  threats:  intentional  acts  such  as  fraud  or 
sabotage;  disasters  such  as  water  or  fire  damage;  and  human 
errors  and  omissions  such  as  data  entry  errors.   We  noted  several 
weaknesses  in  computer  security  controls  for  the  Stratus  and 
Automated  Wagering  International  (AWI)  computer  systems. 


Stratus  System  Physical 
and  Environmental 
Controls 


We  evaluated  physical  and  environmental  controls  over  the 
Stratus  computer  system.  These  controls  protect  the  system  from 
potential  disasters  such  as  fire  or  water  damage.   During  the 
course  of  our  examination,  we  noted  the  following  areas  where 
the  Lottery  could  improve  environmental  controls  over  its 
computer  facility. 


Water  Lines  Above  the 
Computer  Room 


A  sink  with  a  charged  water  line  is  located  directly  above  the 
computer  room.  If  this  line  were  to  break,  the  water  could  cause 
extensive  damage  to  the  Lottery's  computer  system.   Water  lines 
above  the  computer  room  should  either  be  moved  or  the  flow  of 
water  completely  eliminated.   We  recommend  the  Montana 
Lottery  eliminate  the  flow  of  water  in  the  water  lines  above  the 
computer  room. 


Fire  Extinguisher  and 
Smoke  Alarm  Need  to  be 
Tested 


The  computer  room  is  protected  from  fire  damage  through  an 
early  warning  smoke  alarm,  and  a  hand-held  halon  fire 
extinguisher.  We  found  the  smoke  alarm  was  not  included  in 
regular  testing  and  the  fire  extinguisher  testing  was  past  due. 
Regularly  scheduled  testing  of  the  fire  detection  and  suppression 
devices  should  be  done  to  ensure  computer  equipment  is 
protected  from  fire  damage.  Testing  of  both  the  smoke  alarm 
and  the  fire  extinguisher  was  overlooked  by  security  officials. 
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We  recommend  the  Montana  Lottery  develop  a  checklist  to  assist 
security  staff  in  testing  all  security  devices,  including  the  smoke 
alarm  and  fire  extinguisher. 


Stratus  System  Access 
and  Organizational 
Controls 


During  the  course  of  our  audit  we  reviewed  access  and 
organizational  controls  over  the  Lottery's  Stratus  computer 
system.  This  review  included:  evaluating  user  access  provided  to 
various  computer  operations,  evaluating  the  Lottery's  disaster 
recovery  plan,  and  determining  the  level  of  internal  computer 
security  reviews  conducted  by  the  Lottery  to  ensure  security 
exists  over  its  computer  system.   Improvements  are  necessary  in 
access  and  organizational  controls. 


Retain  Documentation 
Supporting  Computer 
Program  Access 


Computer  programs  are  instructions  defining  operations  to  be 
performed  by  a  computer.   Lottery  security  policies  and 
procedures  require  all  requests  for  computer  program  access  be 
documented  using  an  authorized  "Request  for  Program  Access" 
form.   We  found  "Request  for  Program  Access"  forms  existed  for 
access  requests  by  new  employees.   However,  these  forms 
generally  did  not  exist  in  those  cases  where  existing  employees 
requested  an  access  change  or  update  for  the  system.  Lottery 
security  officials  indicated  they  receive  these  forms,  but  do  not 
retain  them  once  the  access  is  changed.   We  recommend  the 
Montana  Lottery  retain  documentation  authorizing  access  to 
Stratus  operating  and  application  files. 


Reviews  of  ILS  Access 
Rights  Need  Improving 


Lottery  employee  access  to  the  Stratus  computer  system  should 
be  limited  to  data  files  and  programs  needed  in  the  performance 
of  their  duties.  We  found  three  employees  with  unnecessary 
access  rights  to  Instant  Lottery  Software  (ILS)  applications.  Job 
duties  for  these  individuals  did  not  require  access. 


Access  to  data  files  and  programs  in  excess  of  job  duties 
provides  opportunity  for  unauthorized  manipulation  of  ILS  data. 
Security  personnel  told  us  they  have  not  established  a  system  for 
conducting  reviews  of  employees  access  and  perform  reviews 
when  they  have  time.   We  recommend  the  Montana  Lottery 
establish  a  system  for  reviewing  employee  access  privileges  to 
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ILS  applications  and  document  these  reviews.  The  Montana 
Lottery  should  also  revoke  access  privileges  to  ILS  applications 
for  those  users  not  requiring  access  in  the  performance  of  their 
job  duties. 


Develop  a  Disaster 
Recovery  Plan 


Backup  and  recovery  planning  consists  of  those  activities 
undertaken  in  anticipation  of  circumstances  which  could  result 
in  complete  or  partial  shutdown  of  the  Lottery's  Stratus 
computer  system.   Examples  include  fire,  flood,  earthquake,  and 
vandalism. 


Although  the  Lottery  stores  backup  data  offsite,  it  does  not  have 
a  formal,  tested  backup  and  disaster  recovery  plan  or  an 
alternate  site  agreement  for  the  Stratus  system.   Without  a 
disaster  recovery  plan  or  alternate  site  agreement,  a  major 
disruption  in  computer  operations  could  adversely  affect  Lottery 
operations. 

We  recommend  the  Montana  Lottery  develop  a  formal,  tested 
backup  and  recovery  plan  that  includes  an  alternate  site  or 
equipment  replacement  agreement. 


Lottery  Retailer  Filing 
and  Data  Inpnt 
Procedures 


We  reviewed  the  accuracy  of  retailer  information  found  on  the 
Lottery's  computer  system  by  comparing  retailer  information 
found  on  the  computer  system  to  the  supporting  documentation 
maintained  in  the  hard  copy  retailer  files.   During  our  review, 
we  identified  areas  where  the  Lottery  could  improve  its 
procedures  for  maintaining  supporting  documentation  and 
inputing  retailer  information  into  its  computer  system.  The 
following  sections  discuss  improvements  that  should  be  made. 


Security  Staff  Should 
Review  Retailer  Files 


Lottery  policy  requires  specific  forms  and  information  be 
contained  in  the  hard  copy  retailer  files  prior  to  issuance  of  a 
license  to  a  retailer  to  sell  Lottery  tickets.   Of  22  retailer  files 
tested,  19  (86  percent)  did  not  contain  all  hard  copy  information 
required  by  Lottery  policy.   Consequently,  we  were  not  able  to 
determine  if  the  information  on  the  system  is  accurate.  We  also 
noted  several  instances  where  changes  were  made  to  retailer 
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information  on  the  computer  system.   However,  in  most  cases  the 
retailer  files  did  not  contain  the  required  authorized 
documentation  supporting  these  changes. 


In  those  cases  where  documentation  was  in  the  retailer  files,  we 
found  instances  where  information  on  the  computer  system  did 
not  match  the  supporting  documentation.   Information  we  found 
which  was  incorrect  on  the  computer  system  included:  retailer 
names,  phone  numbers,  and  addresses;  tax  ID  numbers;  and 
lottery  regional  numbers.   In  addition,  we  found  two  retailers 
who  were  terminated,  but  were  still  shown  as  active  on  the 
system.  The  security  department  is  responsible  for  the  accuracy 
and  completeness  of  the  hard  copy  retailer  files. 

We  recommend  the  Montana  Lottery  perform  a  review  of  hard 
copy  retailer  license  files  prior  to  license  issuance  in  accordance 
with  internal  security  policies.  The  Lottery  should  also  establish 
a  policy  for  centralized  review  of  all  changes  to  hard  copy 
retailer  files  and  information  on  the  computer  system.  A  review 
of  the  accuracy  of  existing  hard  copy  retailer  files  and  computer 
information  should  also  be  conducted. 


Computer  Security  Review 
Should  be  Performed 


Section  2-15-114,  MCA,  specifies  state  agencies  are  responsible 
for  ensuring  security  for  all  their  data  and  information 
technology  resources.  This  law  also  requires  state  agencies 
ensure  internal  evaluations  of  the  security  program  for  data  and 
information  technology  resources  are  conducted. 


In  the  two  prior  security  audits,  we  recommended  the  Lottery 
perform  these  reviews.   At  the  completion  of  our  1989  audit,  the 
Lottery  formed  a  data  processing  security  group  in  response  to 
our  recommendation.   Although  we  found  the  group  occasionally 
meets  to  discuss  needed  changes  relative  to  data  processing,  the 
accomplishments  relating  to  computer  security  have  been 
minimal.   We  believe  group  activities  should  emphasize  more 
intensive  security  evaluations 

We  recommend  the  Montana  Lottery  develop  for  the  data 
processing  security  group  a  mission  and  specific  goals  and 
objectives  which  include  conducting  on-going  comprehensive 
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security  reviews  of  the  computer  system.  The  Lottery  should 
also  develop  a  written  plan  on  how  to  meet  the  mission  and  these 
goals  and  objectives. 


Automated  Wagering 
International  (AWI) 
Computer  Operations 


We  visited  AWI  in  Olympia,  Washington,  to  review  the  security 
over  the  computer  system  which  administers  operations  for 
Montana's  on-line  Lotto  games. 


AWI  Disaster  Recovery 
Plans  Should  Include  the 
MoDtana  Lottery 


We  reviewed  AWI's  disaster  recovery  plan  and  found  no  mention 
of  the  Montana  Lottery  as  part  of  the  plan.   We  also  noted  AWI's 
disaster  recovery  does  not  include  a  formal  agreement  for  a 
specific  alternate  site  for  computer  operations  to  resume  in  the 
event  of  a  disaster. 


Since  the  Montana  Lottery  is  not  included  in  AWI's  disaster 
recovery  plan,  there  is  less  assurance  the  Lottery  would  be 
included  in  any  disaster  recovery  efforts  undertaken  by  AWI.   In 
addition,  not  having  a  specific  site  designated  as  an  alternate  site 
for  computer  operations  to  resume  does  not  provide  assurance 
Montana's  on-line  Lotto  games  would  be  restored  by  AWI  on  a 
timely  basis. 

We  recommend  the  Montana  Lottery  require  the  AWI  disaster 
recovery  plan  include  Montana  Lottery  operations  and  include 
an  agreement  for  establishing  an  alternate  computer  facility. 


On-Line  Management 
Terminal  Access  Rights 
are  not  Approved  and 
Reviewed 


The  On-Line  Management  Terminal  (OLMT)  system  allows 
direct  communication  between  the  Montana  Lottery  and  AWI's 
computer  system  located  in  Olympia,  Washington.   We  reviewed 
the  OLMT  system  access  rights  granted  to  Montana  Lottery  and 
AWI  personnel.  We  found  nine  AWI  employees  with  access 
rights  to  OLMT  applications  beyond  the  requirements  of  their 
position  descriptions. 


Access  rights  to  applications  in  excess  of  job  duties  increases  the 
potential  for  manipulation  of  OLMT  retailer  files  and 
unauthorized  changes  to  the  game  files.  We  found  no  process 
exists  for  Montana  Lottery  security  officials  to  approve  access 
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rights  to  OLMT  applications  for  AWI  employees  based  on  the 
requirements  of  their  position  descriptions.  There  is  also  no 
procedure  for  Montana  Lottery  security  officials  to  periodically 
review  access  rights  to  OLMT  applications. 

We  recommend  the  Montana  Lottery  approve  AWI  employee 
access  rights  to  Lottery  OLMT  applications  based  on  the 
requirements  of  employee  position  descriptions.   We  also 
recommend  the  Montana  Lottery  review  the  reasonableness  of 
OLMT  access  on  a  periodic  basis. 


External  Evaluations  of 
AWI's  Computer  System 


We  found  the  Montana  Lottery  is  not  conducting  or  requiring  an 
external  review  of  AWI's  computer  operations  as  they  relate  to 
Montana  Lottery  operations.   We  have  identified  security 
weaknesses  which  require  improvement  in  some  areas  of  AWI's 
computer  operations.  These  weaknesses  occurred  as  a  result  of 
Montana  Lottery  security  officials  not  formally  monitoring  AWI 
computer  operations  as  they  relate  to  the  Montana  Lottery. 


We  recommend  the  Montana  Lottery  establish  an  external 
evaluation  process  to  ensure  the  security  of  AWI's  computer 
system. 


Computer  Security 
Training 


Computer  systems  are  the  center  of  Montana  Lottery  operations. 
Everything  the  Lottery  does  associated  with  its  instant  and  on- 
line lotto  game  relies  upon  the  secure  operation  of  a  computer 
system.  The  Lottery's  director  of  security  and  investigator  have 
been  responsible  for  the  security  over  Lottery  operations, 
including  computer  security,  since  the  Lottery's  inception  in 
1987.   However,  we  found  these  individuals  have  received  a 
minimal  amount  of  training  related  to  computer  security  even 
though  their  position  descriptions  require  an  understanding  of 
computer  security. 


Section  23-7-212,  MCA,  reflects  the  importance  of  having 
security  personnel  who  are  well-trained  in  all  areas  of  Lottery 
security  including  its  computer  system.  This  law  requires  the 
director  of  security  to  be  knowledgeable  in  computer  security 
and  be  qualified  by  experience  and  training.   Additionally,  the 
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director  of  security  has  designated  the  investigator  as  the  system 
administrator  over  the  Lottery's  computer  system.  Therefore,  it 
is  also  essential  the  investigator  have  appropriate  knowledge  of 
computer  security  requirements  through  appropriate  computer 
security  training. 

We  recommend  the  Montana  Lottery  establish  and  implement  a 
computer  security  training  plan  and  program  for  security 
personnel. 
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Introduction 


Section  23-7-41 1,  MCA,  requires  the  Office  of  the  Legislative 
Auditor  to  perform  a  comprehensive  security  audit  every  two 
years  on  all  aspects  of  Montana  Lottery  security.   This  is  the 
third  security  audit  completed  since  the  inception  of  the  Lottery 
in  1987. 


Audit  Objectiyes 


The  objectives  of  this  audit  were  to: 

1.  Determine  the  status  of  audit  recommendations  made  in  our 
prior  security  audits. 

2.  Determine  if  the  building  security  system  ensures  security  of 
the  Lottery  building  and  its  contents. 

3.  Determine  if  controls  exist  at  special  events  to  ensure  secur- 
ity over  instant  tickets,  lotto  terminals,  and  cash  at  these 
events. 

4.  Determine  if  the  Lottery  is  completing  background  investi- 
gations of  Lottery  employees  and  retailers. 

5.  Evaluate  management  controls  relating  to  security  opera- 
tions. 

6.  Determine  if  the  Lottery's  Stratus  computer  system,  Instant 
Lottery  System  software,  and  on-line  lottery  computer 
system  are  secure. 

7.  Determine  if  Lottery  operations  are  in  compliance  with  state 
laws  and  administrative  rules  related  to  security. 


Statement  of  Privileged 
and  Confidential  Infor- 
mation 


Section  23-7-412,  MCA,  provides:  "Specific  audit  findings  relat- 
ing to  security  invasion  techniques  are  confidential  and  may  be 
reported  only  to  the  legislative  audit  committee,  the  director  of 
the  lottery,  the  commission,  the  attorney  general,  and  the 
governor."   Previous  audits  had  identified  problem  areas  requir- 
ing a  confidential  audit  report  be  issued  due  to  the  sensitive 
nature  of  these  areas.   However,  we  did  not  identify  any  areas 
requiring  confidentiality  during  this  audit. 
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Audit  Scope  and  Meth- 
odology 


The  audit  was  conducted  in  accordance  with  governmental 
auditing  standards  for  performance  audits.   Audit  work  focused 
on  all  aspects  of  security  over  Lottery  operations  and  related 
management  controls.  Section  23-7-41 1,  MCA,  requires  our 
office  to  review  specific  areas  relating  to  Lottery  security. 
During  our  audit  we  reviewed  security  over  the  Lottery  building. 
Lottery  games,  and  the  Lottery  computer  system. 


We  also  reviewed  the  implementation  status  of  audit  recom- 
mendations made  in  our  previous  audit  reports.  During  our 
previous  security  audits,  there  were  areas  where  no  concerns 
were  identified.  We  reviewed  these  areas  to  verify  the  same 
security  controls  still  existed. 

We  reviewed  the  security  controls  over  the  Lottery's  Stratus 
computer  system.  This  included  reviewing  the  appropriateness 
of  employee  access  into  system  applications,  evaluating  physical 
and  environmental  controls  protecting  the  system,  reviewing 
various  Stratus  system  documentation,  and  interviewing  Lottery 
security  and  electronic  data  processing  personnel. 

We  also  evaluated  the  security  controls  over  the  computer  system 
used  for  the  Lottery's  on-line  lotto  games.  This  included  visiting 
Automated  Wagering  International  (AWI)  in  Olympia,  Washing- 
ton, which  provides  computer  services  for  Montana's  on-line 
lotto  games.   During  our  visit,  we  determined  if  a  recent  sale  of 
AWI  caused  any  changes  to  the  organizational  structure  of  the 
company  which  could  have  affected  computer  security.   We 
reviewed  systems  hardware  and  software  controls,  physical  and 
environmental  controls,  and  controls  protecting  both  physical 
and  electronic  access  to  the  system.   We  interviewed  AWI 
security  and  electronic  data  processing  personnel  regarding 
procedures  to  ensure  the  security  of  the  system.   We  also 
observed  drawing  procedures  for  the  Lottery's  on-line  lotto 
games. 

We  evaluated  security  over  the  Lottery  building  including  testing 
recently  installed  security  devices  at  Lottery  headquarters. 
These  devices  send  an  alarm  to  the  Lottery's  alarm  service 
located  in  Missoula,  Montana,  in  the  event  an  intruder  enters  the 
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Lottery  building  during  non-working  hours.   Tests  of  the 
security  devices  included  after  hour  tests  to  ensure  they  were 
working  properly.   We  also  inspected  the  Lottery's  alarm  service 
facility  in  Missoula.   We  tested  equipment  which  monitors  and 
receives  alarms  from  the  security  devices  located  at  Lottery 
headquarters.   We  also  evaluated  Lottery  procedures  to  control 
access  to  the  Lottery  warehouse. 

We  examined  the  extent  of  security  over  special  events  in  which 
the  Lottery  participates.   We  reviewed  policies  and  procedures 
regarding  these  events  and  attended  special  events  to  observe 
security  over  instant  and  on-line  lotto  games,  lotto  terminals, 
and  cash. 

We  examined  management  controls  relating  to  security.  This 
included  a  review  of  such  things  as  Lottery  goals  and  objectives, 
policies  and  procedures,  training,  and  performance  appraisals. 


Prior  Audit  Recommen- 
dations 


The  audit  reports  regarding  Lottery  security  issued  in  October 
1991  contained  24  recommendations  suggesting  ways  Lottery 
management  could  improve  security  over  various  aspects  of  its 
operations.  The  recommendations  were  in  areas  relating  to 
background  investigations  of  Lottery  personnel,  management 
controls,  and  computer  security.   Lottery  officials  concurred 
with  all  the  recommendations  and  established  time  frames  to 
implement  the  recommendations. 


During  this  audit  we  found  Lottery  management  had  imple- 
mented 17  of  the  prior  audit  recommendations  and  3  were  not 
fully  implemented.   Four  other  recommendations  specifically 
related  to  the  Lottery's  internal  audit  function.   These  recom- 
mendations included  changing  the  Lottery  organizational  struc- 
ture so  the  internal  auditor  reports  directly  to  the  Lottery 
director;  finalizing  an  internal  audit  charter;  establishing  policies 
and  procedures  specifying  the  role  of  the  internal  audit  function; 
and,  requiring  the  internal  auditor  to  document  audit  work. 
Since  the  completion  of  our  last  security  audit  the  internal  audit 
position  became  vacant.   The  Lottery  eliminated  this  position  as 
a  cost  savings  measure.   Therefore,  these  recommendations  were 
not  applicable  during  this  audit. 
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The  three  recommendations  which  were  not  fully  implemented 
are  discussed  later  in  the  report.  They  relate  to  performing  more 
detailed  data  security  reviews,  establishing  computer  security 
training  programs  for  security  personnel,  and  restricting  access 
privileges  to  computer  programs  not  required  in  the  performance 
of  daily  job  duties. 


Areas  Where  Security 
Controls  Exist 


We  found  many  areas  continue  to  have  sufficient  security 
controls  as  determined  during  previous  audits.   Furthermore,  by 
implementing  most  of  the  recommendations  from  our  previous 
security  audit,  the  Lottery  has  also  improved  security.   Areas  in 
which  we  found  security  to  be  sufficient  during  this  review 
include: 


—  Instant  games,  including  the  delivery  of  tickets  to  Lottery 
headquarters  and  retailers,  inventory  procedures,  and  storage 
procedures. 

—  Validation  of  winning  tickets  for  instant  and  on-line  lotto 
games. 

—  Background  investigations  of  Lottery  employees,  including 
obtaining  fingerprints. 

—  Controls  over  instant  and  on-line  lotto  game  tickets  and  cash 
at  special  events. 

—  Destruction  of  unsold  instant  tickets. 
--    Montana  Cash  and  Powerball  drawings. 

--    Performance  appraisals  for  security-related  staff. 


Compliance 


As  part  of  our  audit  we  reviewed  compliance  with  state  laws, 
administrative  rules,  and  policies  relating  to  Lottery  security 
operations.  We  generally  found  the  Lottery  to  be  in  compliance 
with  applicable  requirements;  however,  some  instances  of  non- 
compliance were  found.   The  areas  of  noncompliance  concerned 
computer  security  training  for  security  staff  and  internal  evalua- 
tions of  security  over  the  Lottery's  computer  system.  These 
issues  are  discussed  later  in  the  report. 
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Management  During  the  audit  we  asked  Lottery  officials  for  written  responses 

Memorandum  to  potential  report  issues  and  recommendations.   In  addition,  we 

issued  a  management  memorandum  to  Lottery  officials  regard- 
ing: 

Tape  backup  logs  -  Procedures  exist  for  establishing  tape  backup 
of  computer  system  and  application  files.   However,  these  proce- 
dures would  be  strengthened  if  the  Lottery  maintained  a  tape 
backup  log.   This  would  provide  a  means  for  Lottery  employees 
to  easily  determine  which  tapes  were  available  and  obtain  infor- 
mation needed  to  pull  or  replace  expired  tapes. 


Retention  schedules  -  The  Lottery  has  no  retention  schedule  for 
backup  tapes.  The  Lottery  should  establish  a  formal  retention 
schedule  for  the  backup  tapes  to  provide  guidance  to  Lottery 
staff  as  to  how  long  tapes  should  be  retained  before  reuse. 
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Introduction 


In  November  1986,  the  people  of  Montana  passed  Legislative 
Referendum  100  establishing  a  state  lottery.   Lottery  ticket  sales 
began  on  June  24,  1987,  with  an  instant  win  scratch  game  being 
the  first  Lottery  game  offered  to  the  public.  The  Lottery  has 
since  increased  the  number  of  Lottery  games  by  adding  three 
on-line  lotto  games:  Powerball,  Montana  Cash,  and  Tri-West 
Lotto.  Ticket  sales  for  Powerball  began  in  April  1992  replacing 
Lotto*America.  Ticket  sales  for  Montana  Cash  began  in  May 
1991.   In  February  1994,  the  Lottery  introduced  its  third  on-line 
lotto  game  called  Tri-West  Lotto.  This  game  is  offered  in 
partnership  with  two  other  states,  Idaho  and  South  Dakota,  and 
offers  jackpot  sizes  between  those  won  in  Powerball  and 
Montana  Cash.  Tri-West  Lotto  was  not  included  in  our  review 
because  it  was  not  operational  until  after  our  audit  work  was 
completed. 


Lottery  Goals 


Lottery  management  has  established  several  security-related 
goals  for  the  operation  of  the  Lottery.  Some  of  the  major  goals 
include: 


--    Maintain  the  integrity  of  the  Lottery  games  and  drawings  by 
enforcing  adequate  security  measures. 

--    Provide  necessary  support  services  to  allow  the  Lottery  to 
effectively  serve  both  players  and  retailers. 

--    Maximize  staff  potential  and  encourage  excellence  in  the 
work  place. 


Lottery  Oi^anization 


The  Montana  Lottery  is  attached  to  the  Department  of 
Commerce  for  administrative  purposes  only.   Lottery  operations 
are  administered  by  the  Lottery  Commission  and  a  Lottery 
director.  The  following  figure  displays  the  organizational  struc- 
ture of  the  Lottery. 


Page? 


Chapter  n  -  Background 


Montana 

Figure  1 
Lottery  Organization 

Dlractor 

1 

1 

1 

1 

Opatatlons 
Dlractor 

Maitating 
Director 

Security 
Diractof 

Markating 
Ass  Id  ant 

Graphics 
Spacialiat 

1 

1 

1 

1 

1 

1 

1 

DP 

Managar 

Complroller 

Research/ 
Ort-lina  Mgr. 

Instant 
Product  Mgr. 

ComnunlcMlaM 

Sales 
Manager 

Investigator 

Warehouse 
Supervisor 

1 

1 

1 

1 

Programmat 
Analytt 

Qana 

Sales  Reps 
Raglons  1-9 

Marketing 
Accounts  Mgr. 

tmrentory 
Technician 

Into  Systefns 
Tach.!! 

On-Une 
Accounlam 

Tel-S«ll 
(Hall-Time) 

1 

1 

Computer 
Op*ralor 

Accounting 
Tach. 

Validations 
Tach. 

Source; 

Coir 

pIK 

Id  by  the  Oflk 

.o 

f  me  Legislath 

fe  Auditor  from  Lottery  records. 

Lotteiy  Commission 


The  Lottery  Commission  consists  of  five  members  appointed  by 
the  Governor.  Section  23-7-201,  MCA,  requires  three  of  the 
five  members  to  come  from  specific  professions.   One  commis- 
sioner must  have  a  minimum  of  five  years  law  enforcement 
experience,  one  commissioner  must  be  an  attorney  licensed  in 
Montana,  and  one  commissioner  must  be  a  certified  public 
accountant  licensed  in  Montana.  The  remaining  two  board 
members  are  public  members. 


The  Commission  meets  with  the  Lottery  director  at  least  once 
every  three  months  to  set  policy,  determine  the  types  of  games  to 
offer,  and  review  Lottery  activities  and  operations. 
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Legislative  Liaison 
Committee 


In  January  1987  a  Legislative  Liaison  Committee  was  established 
to  report  on  the  operations  of  the  Lottery.   According  to  section 
23-7-203,  MCA,  "The  liaison  committee  consists  of  four  legisla- 
tors. Two  members  must  be  from  the  senate  and  two  members 
must  be  from  the  house  of  representatives.  The  speaker  of  the 
house  and  the  senate  committee  on  committees  shall  appoint  the 
members  of  the  liaison  committee,  and  no  more  than  two 
members  may  be  of  the  same  political  party.   No  legislator  who 
has  any  ownership  interest  in  any  gambling  device  or 
establishment  may  be  appointed  to  the  liaison  committee."  The 
liaison  committee  is  to  meet  once  each  fiscal  year  with  the 
commission  in  Helena  and  report  to  the  Legislature  on  the 
activities  and  operations  of  the  state  lottery. 


Lotteiy 

Sta£CDepartment 

Responsibilities 


The  Montana  Lottery  is  authorized  a  total  of  35.5  FTE.  The 
Lottery  has  an  administrative  function  which  includes  the 
Lottery  director,  who  is  appointed  by  the  Governor,  and  three 
other  FTE.  The  remaining  31.5  FTE  are  located  in  one  of  the 
three  main  Lottery  departments:  Operations,  Marketing,  and 
Security.  A  brief  description  of  each  department  follows. 


Operations  Department 


The  operations  department  is  authorized  ten  FTE,  including  a 
director  of  operations  who  administers  the  department.  Other 
FTE  include  an  EDP  manager  and  three  EDP  staff,  a 
comptroller,  a  game  accountant,  an  on-line  accountant,  an 
accounting  technician,  and  a  validation  technician. 


The  operations  department  is  responsible  for  accounting  and 
fiscal  management  of  the  Lottery,  including  establishing  Lottery 
budgets  and  monitoring  ticket  sales.   Other  responsibilities 
include  validating  winning  tickets  and  administering  data 
processing  operations. 
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Marketing  Department  The  marketing  department  is  authorized  17.5  FTE  including  a 

director  of  marketing  who  administers  the  department.   Other 
FTE  include  a  graphics  specialist,  a  marketing  assistant,  an 
instant  product  manager,  a  sales  manager,  a  marketing 
researcher,  a  communications  coordinator,  nine  marketing 
representatives,  and  a  marketing  accounts  manager.   There  is  also 
a  half-time  position  which  assists  the  telephone  sales  manager 
with  calls  to  Lottery  retailers.   In  order  to  deliver  instant  tickets 
to  retailers  in  different  parts  of  the  state  the  marketing 
representatives  are  located  in  Billings,  Bozeman,  Butte,  Great 
Falls,  Glasgow,  Helena,  Kalispell,  Miles  City,  and  Missoula.   The 
marketing  representatives  are  also  responsible  for  promoting  the 
Lottery's  instant  and  on-line  lotto  games.  This  is  done  by 
distributing  point-of-sale  materials  to  the  retailers,  negotiating 
space  with  retailers  for  product  displays,  and  attending  special 
promotion  events  for  the  Lottery  in  their  regions. 

The  marketing  department  is  responsible  for  designing  and 
managing  Lottery  games,  researching  and  analyzing  Lottery 
sales,  distributing  instant  game  tickets  to  retailers,  and  promot- 
ing the  Lottery. 


Security  Department  The  security  department  is  authorized  a  total  of  four  FTE  which 

includes  a  director  of  security  who  is  responsible  for  overseeing 
the  security  operations  of  the  department  including  the  Lottery 
warehouse.  Other  FTE  include  an  investigator  and  two  ware- 
house personnel. 

The  department  is  responsible  for  monitoring  all  aspects  of 
security  over  Lottery  operations.   This  includes  performing 
background  checks  of  all  employees  and  ticket  retailers,  licens- 
ing of  retailers,  ensuring  tickets  are  produced  and  printed  in 
compliance  with  established  security  measures,  and  directing 
investigations  of  alleged  Lottery  fraud  or  theft.   The  department 
also  monitors  special  drawings  and  promotions,  establishes 
security  policies  and  procedures  for  new  games  designed  by  the 
Lottery,  and  ensures  the  security  of  the  Lottery's  computer 
system.  The  overall  goal  of  the  security  department  is  to 
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maintain  security,  honesty,  fairness,  and  integrity  over  Lottery 
operations. 


Lotteiy  Funding 


Lottery  operations  are  funded  through  the  sale  of  instant  and 
on-line  lotto  game  tickets.  Section  23-7-402,  MCA,  specifies 
how  Lottery  revenues  are  to  be  distributed.  This  statute  requires 
a  portion  of  the  money  collected  from  ticket  sales  to  be  used  for 
the  payment  of  prizes,  retailer  commissions,  and  operating 
expenses.   Funds  not  used  for  these  purposes  are  considered  net 
revenue  and  are  paid  quarterly  to  the  Office  of  Public  Instruc- 
tion and  the  Board  of  Crime  Control.   Table  1  illustrates  those 
areas  in  which  state  law  requires  lottery  revenue  to  be 
distributed. 


Table  1 

Revenue  Distribution  Requirements 

Fiscal  Year  1993-94 

Area  For  Distribution 
Prize  Money 

Percentage  for 
Distribution 
Minimui)  45% 

Retailer  Conwissions 

No  more  than  10  percent 

Operating  Expenses 

Not  Specified 

Office  of  Public 
Instruction 

Net  revenue  paid  quarterly 
as  state  equalization  aid 

Board  of  Crime 
Control 

9. IX  of  net  revenue,  not  to  exceed 
$1  million,  to  fund  state  grants 
to  counties  for  youth  detention 
services   (State   law   required 
first  year  transfer  of  only  1.6%) 

Source:     Coapiled  by 
f rca  Montana 

the  Office  of  the  Legislative  Auditor 
Code  Annotated. 
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Sales  and  Distribution 
of  Net  Revenue 


During  its  six  years  of  operation  (through  June  30,  1993)  the 
Lottery  had  sales  of  $147.4  million.  Transfers  have  totalled 
$33.2  million  to  the  Office  of  Public  Instruction  and  $900,000  to 
the  Board  of  Crime  Control.  Lottery  sales  and  distributions  of 
revenues  for  the  last  three  fiscal  years  are  displayed  in  the 
following  table: 


Table 

2 

Montana 

Lottery 

Revenue  and  Distributions 

Fisca 

I  Years 

1990-91 

through 

1992 

-93 

CHillions) 

FY  1990-91 

FY 

1991-92 

FY 

1992-93 

TOTAL 

Revenues 

Instant  Games 

$  8.2 

$  9.3 

$  9.1 

$26.6 

Lotto*America 

14.8 

10.5 

N/A 

25.3 

Powerball 

N/A 

2.4 

18.5 

20.9 

Montana  Cash 

.9 

5.8 

9.1 

15.8 

TOTAL 

$23.9 

$28.0 

$36.7 

$88.6 

Distributions 

Prizes 

$11.7 

$13.6 

$17.7 

$43.0 

Conmissions 

1.3 

1.6 

2.0 

4.9 

Ticket  Costs 

4.0 

4.2 

5.2 

13.4 

Operations 

2.7 

3.0 

3.0 

8.7 

DPI  Transfers 

4.2 

5.5 

8.0 

17.7 

BCC  Transfers 

N/A 

.1 

.8 

.9 

TOTAL 

$23.9 

$28.0 

$36.7 

$88.6 

Source:   Coip 

led 

by  the  Office  of  the  Legislative  Auditor  from   1 

Lottery  records. 

Computer  Operations 


The  Montana  Lottery  uses  its  own  minicomputer  known  as  the 
Stratus  system  to  perform  the  majority  of  its  data  processing 
activities.  The  Stratus  system  utilizes  Instant  Lottery  Software 
(ILS)  to  perform  various  functions  associated  with  instant  games. 
Some  of  the  ILS  functions  the  Lottery  utilizes  include: 


Verifying  winning  instant  tickets. 
Writing  checks  to  winners. 
Voiding  unused,  returned,  or  stolen  tickets. 
Monitoring  and  issuing  ticket  inventory. 
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--    Collecting  payments  from  retailers  using  electronic  funds 

transfer. 
—    Collecting  various  types  of  data  regarding  prize  winners. 

In  addition  to  performing  functions  related  to  instant  games,  the 
Stratus  system  also  verifies  the  integrity  of  AWI's  computer 
system  which  administers  the  Lottery's  on-line  lotto  games.  This 
is  done  via  the  Internal  Control  System  (ICS)  which  is  part  of  the 
Lottery's  Stratus  computer  system.  The  ICS  gives  the  Lottery  the 
capability  to  verify  the  accuracy  of  AWI's  ticket  sales  informa- 
tion for  on-line  lotto  games. 


Instant  Games 


Introduction 


Instant  games  were  the  first  games  offered  by  the  Lottery. 
These  games  allow  players  to  determine  if  they  are  winners  by 
rubbing  a  latex  coating  off  a  ticket.  For  example,  if  three 
identical  play  symbols  appear  on  the  ticket  players  win  instantly. 
If  a  winning  ticket  is  $50  or  less  it  can  be  redeemed  by  the 
retailer  from  which  the  ticket  was  purchased.   If  the  ticket  is 
more  than  $50,  it  must  be  redeemed  by  the  Lottery.   This  can  be 
done  by  a  player  either  bringing  the  ticket  to  the  Lottery  or 
mailing  the  ticket  to  the  Lottery. 


The  Lottery  offers  the  public  a  choice  of  instant  games  by 
offering  two  games  simultaneously.  This  allows  the  Lottery  to 
offer  one  instant  game  with  more  high-tier  winners  and  one  with 
more  low-tier  winners.   An  instant  game  is  on  sale  for  approxi- 
mately 12  weeks  with  a  new  game  offered  every  6  weeks. 

The  following  sections  discuss  the  Lottery's  instant  game  cycle 
including:  game  design  and  prize  structure,  ticket  delivery  and 
inventory,  ticket  distribution,  and  procedures  followed  by 
Lottery  personnel  at  the  end  of  an  instant  game. 
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Game  Design/Prize  Struc- 
ture 


Instant  games  are  designed  by  various  Lottery  staff  who  meet 
periodically  to  discuss  game  strategies,  prize  structures  and  ticket 
specifications.  Once  this  information  is  determined,  working 
papers  are  developed  which  detail  the  specifications  for  the  game 
such  as  the  Guaranteed-Low-End-Prize-Structure  (GLEPS)  and 
the  physical  appearance  of  the  tickets.   After  the  working  papers 
are  compiled,  they  are  sent  to  the  instant  ticket  vendor  (Dittler 
Brothers,  Inc.)  which  reviews  the  working  papers  and  returns 
them  to  the  Lottery  with  suggested  changes  and/or  questions. 
Several  draft  versions  of  working  papers  are  developed  and 
reviewed  by  both  the  Lottery  and  Dittler  Brothers,  Inc.  before  a 
final  game  design  and  prize  structure  is  selected.   Upon  approval 
of  the  final  working  papers  by  Lottery  personnel,  they  are 
returned  to  Dittler,  Inc.  so  they  can  begin  printing  tickets. 


Ticket  Delivery/Inventory 


All  instant  tickets  are  printed  by  Dittler  Brothers,  Inc.  in 
Atlanta,  Georgia,  and  shipped  directly  to  Lottery  headquarters 
via  tractor/trailer.   When  the  trailer  arrives  at  Lottery 
headquarters,  a  member  of  the  security  department  inspects  the 
trailer  for  signs  of  tampering.  This  entails  comparing  the  seal 
and  lock  numbers  on  the  trailer  to  those  listed  on  the  bill-of- 
lading  and  conducting  a  visual  inspection  of  the  trailer.   Once 
the  security  representative  is  satisfied  the  trailer  has  not  been 
tampered  with,  the  trailer  seal  is  cut  and  the  trailer  opened.   The 
contents  are  then  inspected  by  security  or  warehouse  personnel 
for  any  damage  or  signs  of  tampering.  The  trailer  is  unloaded 
and  the  tickets  moved  inside  the  Lottery  warehouse. 


Once  the  tickets  are  in  the  warehouse,  a  100  percent  inventory  is 
conducted.   Using  inventory  reports  supplied  by  Dittler,  a  visual 
inspection  of  each  pack  of  tickets  is  performed.  The  packs  are 
examined  to  ensure:  all  tickets  are  present,  the  latex  covering  is 
free  from  scratches,  play  symbols  are  covered  by  latex,  the 
general  appearance  of  tickets  is  good,  and  the  shrink  wrap  on 
individual  packs  is  free  of  tears.   Defective  packs  are  recorded 
and  pulled  from  the  inventory.   As  part  of  the  inventory  process, 
security  staff  perform  a  GLEPS  test  on  the  tickets.  The  main 
purpose  of  the  GLEPS  test  is  to  assure  ticket  shipments  meet  the 
prize  structure  approved  by  the  Lottery.   After  the  inventory  is 
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complete,  ticket  packs  are  separated  into  marketing 
representative  regions  in  the  warehouse.   Once  the  tickets  are 
separated,  they  are  ready  for  delivery  to  the  marketing 
representatives. 


Ticket  Distribution 


At  the  start  of  a  new  instant  game  the  tickets  are  either  picked 
up  by  the  marketing  representatives  or  delivered  to  the  market- 
ing representatives  by  Lottery  staff.  The  marketing  representa- 
tives store  the  tickets  in  established  storage  areas  which  have 
been  reviewed  and  approved  by  Lottery  security  personnel.  The 
marketing  representatives  then  deliver  tickets  to  the  retailers  for 
sale  to  the  public.   Periodically,  the  Lottery  uses  United  Parcel 
Service  to  deliver  tickets  directly  to  a  retailer.  This  is  usually 
only  done  when  marketing  representatives  are  sick  or  on  vaca- 
tion and  a  retailer  needs  tickets  delivered  as  soon  as  possible. 


£nd-of-Game  Procedures 


At  the  conclusion  of  each  game,  marketing  representatives 
gather  unsold  instant  tickets  from  the  retailers.  The  marketing 
representatives  are  then  responsible  for  returning  these  tickets  to 
Lottery  headquarters.   Upon  receipt  of  unsold  tickets  from  all 
regions,  a  100  percent  inventory  is  performed  by  warehouse 
personnel. 


Ticket  Disposal 


Upon  completion  of  the  ticket  inventory,  the  unsold  tickets  are 
stored  for  the  six  months  winning  tickets  could  still  be  submitted 
for  prize  payment.   After  the  six  month  waiting  period  an  audit 
of  the  tickets  is  conducted  by  staff  from  the  operations  depart- 
ment.  At  the  completion  of  the  audit  the  unsold  tickets  are 
incinerated. 
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On-Line  Lotto  Games 


Introduction 


Currently,  three  on-line  lotto  games  are  being  operated  by  the 
Lottery:  Powerball,  Montana  Cash,  and  Tri-West  Lotto.   On-line 
lotto  games  are  controlled  by  a  central  computer  system  which  is 
attached  to  sales  terminals  at  retailer  locations.   A  communica- 
tions network  is  used  to  transfer  information  on  ticket  sales  from 
the  terminals  to  the  central  computer. 


Powerball 


In  April  1992  Powerball  replaced  Lotto* America  as  Montana's 
multi-state  lotto  game.   As  with  Lotto*America,  Powerball  is  a 
multi-state  on-line  lotto  game  offering  smaller  states  the 
opportunity  of  providing  larger  jackpots  than  is  typically 
possible  through  a  state  lotto  game.   During  fiscal  year  1992-93 
the  Montana  Lottery  participated  in  Powerball  with  1 3  other 
states  and  the  District  of  Columbia. 


By  participating  in  Powerball,  the  Lottery  is  a  member  of  the 
Multi-State  Lottery  Association  (MUSL)  which  is  headquartered 
in  Des  Moines,  Iowa.   MUSL  administers  operations  for  Power- 
ball  as  it  did  for  Lotto*America.   The  Lottery  must  assure  MUSL 
of  compliance  with  MUSL  rules  and  Powerball  game  procedures. 
Powerball  drawings  are  held  in  Des  Moines,  Iowa,  every 
Wednesday  and  Saturday  night. 

The  Powerball  drawings  are  monitored  to  maintain  the  security 
and  integrity  of  the  drawings.   Off-duty  police  officers  and 
independent  auditors  are  contracted  by  MUSL  to  oversee  the 
drawing.   Additionally,  independent  audit  firms  contracted  by 
MUSL  observe  drawing  procedures  performed  by  each  MUSL 
member  including  the  Montana  Lottery  staff  at  Lottery  head- 
quarters. 

Powerball  replaced  Lotto* America  in  order  to  improve  the  odds 
of  players  winning  a  prize.   Powerball  offers  players  nine 
different  prize  levels  compared  to  only  three  for  Lotto*America. 
Players  win  or  share  the  Powerball  jackpot  by  matching  five 
white  balls  in  any  order  from  a  field  of  45  numbers  and  match- 
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ing  a  red  "powerball"  from  a  separate  field  of  45  numbers. 
Powerball  jackpots  start  at  a  guaranteed  $2  million  and  increase 
each  time  they  are  not  won  based  upon  total  ticket  sales  for  each 
drawing.   Players  can  also  win  prizes  ranging  from  $1  to 
$100,000  based  on  the  number  of  balls  they  match.   Players 
purchase  Powerball  tickets  from  licensed  retailers  for  one  dollar 
and  receive  one  chance  to  win  for  each  dollar  spent.  There  is  no 
limit  on  the  number  of  chances  a  player  can  purchase. 


The  following  figure  illustrates  the  prize  structure  for  Powerball 
and  the  odds  of  winning  various  prizes  for  each  one  dollar  play. 
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Figure  2 

Pouerfoall  Prize  Structure 

Match                                          Prize 

Odds  per  $1  Play 

ooooo« 

5  White  Balls  +  POWERBALL     JACKPOT 

1:54,979,155 

ooooo 

5  White  Balls                                $100,000 

1 :1 ,249,526 

oooo« 

4  White  Balls  +  POWERBALL     $5,000 

1 :274,896 

oooo 

4  White  Balls                               $100 

1 :6,248 

ooo» 

3  White  Balls  +  POWERBALL     $100 

1:7.049 

ooo 

3  White  Balls                                $5 

1:160 

oo« 

2  White  Balls  +  POWERBALL     $5 

1:556 

09 

1  White  Ball  +  POWERBALL      $2 

1:120 

• 

POWERBALL                                  $1 

1:84 

Overall  Odds  -  1.35 

Source:  Montana  Lottery 

Powerball  tickets  are  printed  from  on-line  lotto  terminals  located 
in  retailer  establishments.   Players  can  choose  their  own  numbers 
to  play  or  have  the  terminal  randomly  select  the  numbers. 
Automated  Wagering  International  (AWI)  is  responsible  for  the 
maintenance  of  these  terminals  and  provides  and  installs  termi- 
nals in  retailer  locations  selected  by  the  Lottery.   AWI  also 
supplies  retailers  with  ticket  stock  and  provides  technical 
assistance  regarding  terminal  operations. 
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Montana's  Powerball  operations  are  controlled  by  a  central 
computer  located  in  Olympia,  Washington,  which  is  administered 
by  AWI.   AWI's  computer  system  monitors,  stores,  and  compiles 
ticket  sales  information  such  as  the  date  and  time  tickets  were 
purchased  and  the  numbers  selected.  AWI's  computer  system  is 
monitored  by  the  Lottery's  Internal  Control  System  (ICS)  which 
is  part  of  the  Lottery's  Stratus  computer  system.   The  ICS  gives 
the  Lottery  the  capability  to  verify  the  accuracy  of  AWI's  ticket 
sales  information  for  on-line  lotto  games. 


Montana  Cash 


Ticket  sales  for  Montana  Cash  began  in  May  1991.   Unlike 
Powerball  which  is  a  multi-state  lotto  game,  Montana  Cash  is  an 
on-line  lotto  game  played  only  in  Montana.   Drawings  for 
Montana  Cash  are  held  each  Wednesday  and  Saturday  evening  at 
Lottery  headquarters. 


Montana  Cash  offers  players  a  chance  of  winning  a  guaranteed 
minimum  jackpot  of  $20,000  by  matching  five  numbers  from  a 
field  of  thirty-seven.  This  game  is  designed  to  offer  jackpots 
which  are  smaller  than  Powerball  but  larger  than  top  prizes 
typically  offered  via  an  instant  game.   In  addition,  a  player  wins 
$200  by  matching  four  of  thirty-seven  numbers  and  $5  by 
matching  three  numbers.  The  following  table  illustrates  the 
prize  structure  for  Montana  Cash  and  the  odds  of  winning  a 
prize. 


Table  3 

Montana  Cash  Prize  Structure 

Match 
5  of  37 
4  of  37 
3  of  37 

Prize              Odds  per  $1  Plav 
JACKPOT                   1:217,949 
$200                    1:1,362 
$5                     1:44 

Overall  Odds  -  1:43 

Source: 

Coapiled  by  the  Office  of  the  Legislative  Auditor  fro« 
Lottery  records. 
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As  with  Powerball,  AWI  administers  the  computer  operations  for 
Montana  Cash  since  tickets  are  sold  using  the  same  terminals  as 
Powerball.  The  Montana  Cash  drawing  is  monitored  by  an 
independent  auditing  firm  who  assures  the  integrity  of  drawings 
and  compliance  with  established  drawing  procedures. 


Retailers  There  are  760  retailers  licensed  to  sell  instant  lottery  tickets  in 

Montana.  Of  these,  318  are  also  authorized  to  sell  on-line  lotto 
game  tickets  for  Powerball  and  Montana  Cash.   Before  retailers 
are  considered  for  a  license  to  sell  lottery  tickets,  they  are 
subject  to  a  statutory  background  investigation  by  the  Lottery's 
security  department.  The  $50  cost  of  a  retailer  license  is  used  to 
cover  the  expense  of  investigating  and  processing  the  applica- 
tion. 

Retailers  have  specific  responsibilities  for  both  instant  and  on- 
line lotto  games.   Some  of  the  retailer  responsibilities  for  instant 
games  include  redeeming  low-tier  ($50  and  under)  instant 
tickets,  providing  security  for  their  instant  ticket  inventory, 
paying  the  Lottery  for  ticket  inventory  received,  and  returning 
unsold  tickets  at  game  end.   Retailer  responsibilities  for  on-line 
lotto  games  include  redeeming  low-tier  (under  $600)  tickets, 
correct  use  and  operation  of  game  terminals,  and  notifying  AWI 
of  any  problems  with  the  terminals.   In  order  to  spell  out  what  is 
expected  of  the  retailers,  the  Lottery  has  supplied  retailers  with 
policy  and  procedure  manuals  for  both  instant  and  on-line  lotto 
games.  Retailers  can  refer  to  the  manuals  for  any  questions  they 
may  have  regarding  either  game.   If  retailers  cannot  find  an 
answer  in  the  manual,  toll-free  telephone  numbers  are  provided 
for  the  Lottery  and  AWI. 


Page  20 


Chapter  HI  -  General  Security  Procedures 


Introduction 


During  the  audit  we  found  security  procedures  existed  ensuring 
security  over  many  areas  of  Lottery  operations.   However,  we 
identified  some  areas  where  security  procedures  could  be 
improved.  This  chapter  examines  the  procedures  for  security 
over  the  lottery  warehouse  and  for  evaluating  test  results  for 
disqualified  Montana  Cash  ball  sets.  The  following  sections 
discuss  the  issues  we  identified. 


Warehouse  Access 
Policies  not  Elnforced 


During  our  security  audit  we  observed  employees  other  than 
security  and  warehouse  personnel  entering  the  Lottery  ware- 
house. These  employees  have  not  been  authorized  unrestricted 
access  to  the  warehouse  by  the  Lottery's  security  department. 
All  access  was  made  through  a  set  of  double-doors  which  lead 
from  the  Lottery's  office  area  directly  into  the  warehouse. 
These  doors  are  the  main  route  between  the  office  area  and  the 
warehouse.   We  noted  an  effective  control  system  was  not  in 
place  controlling  access  through  these  doors.   During  a  one 
month  time  frame  we  observed  18  different  occasions  when 
employees  with  restricted  access  entered  the  warehouse  through 
the  double-doors. 


Security  policies  make  security  and  warehouse  personnel  respon- 
sible for  monitoring  access  to  the  warehouse  and  ensuring  the 
warehouse  remains  secure.  This  includes  ensuring  all  warehouse 
doors  are  locked  in  the  absence  of  security  and  warehouse 
personnel.   These  policies  also  require  employees  with  restricted 
access  to  the  warehouse  be  let  in  by  ringing  a  doorbell  located  on 
the  double-doors  and  signing  an  access  log  upon  entering  and 
leaving  the  warehouse.  However,  since  the  doors  were  not 
always  locked,  employees  with  restricted  access  were  observed 
entering  the  warehouse  without  ringing  the  doorbell  or  signing 
the  access  log.   On  three  occasions  the  door  remained  unlocked 
although  neither  security  nor  warehouse  personnel  were  in  the 
warehouse  to  monitor  access.   On  two  of  these  occasions 
employees  with  restricted  access  entered  the  warehouse. 

The  Lottery  warehouse  is  used  to  store  the  Lottery's  inventory  of 
instant  game  scratch  tickets,  Montana  Cash  drawing  ball  sets, 
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mail  for  second  chance  drawings,  special  promotional  items,  and 
Lottery  check  stock.   Lack  of  control  over  warehouse  access 
increases  the  potential  items  stored  there  could  be  removed  or 
tampered  with  by  unauthorized  personnel.   It  is  likely  other 
controls  would  limit  the  success  of  redeeming  instant  tickets  or 
cashing  Lottery  checks.   However,  there  could  be  a  loss  of  public 
trust  in  the  Lottery  if  employee  theft  occurred.  Successful 
Lottery  operations  are  dependent  upon  the  public  having  faith  in 
a  secure  Lottery;  both  externally  and  internally. 

Security  and  warehouse  personnel  should  enforce  Lottery 
security  policies  which  limits  warehouse  access  to  authorized 
employees.   It  is  also  important  for  security  and  warehouse 
personnel  to  ensure  the  manual  access  log  is  completed  whenever 
other  employees  are  allowed  into  the  warehouse.   This  is  the  only 
way  of  obtaining  a  record  of  which  employees  have  entered  the 
warehouse  and  the  reason  they  were  allowed  access. 


Maintain  the  Control 
System  Which  Limits 
Warehouse  Access 


Lottery  officials  responded  to  our  concern  by  installing  new 
locks  on  the  doors  which  automatically  lock  when  the  double- 
doors  are  closed.  Officials  told  us  only  security  and  warehouse 
personnel  have  keys  to  the  doors.  In  addition,  they  indicated  the 
access  log  has  been  moved  into  the  warehouse  and  will  be 
monitored  by  security  and  warehouse  personnel  in  the  future. 


It  appears  this  action  taken  by  security  personnel  addresses  our 
concern  regarding  the  double-doors.   It  is  important  this  control 
system  be  maintained  to  ensure  the  security  and  integrity  of  the 
warehouse. 
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Montana  Cash  Ball  Set 
Test  Results 


Recommendation  #1 

We  recommend  the  Montana  Lottery: 

A.  Maintain  the  control  system  which  limits  warehouse 
access  to  authorized  employees. 

B.  Enforce  the  requirement  all  non-security  and  non- 
warehouse  personnel  sign  the  access  log  when  entering 
and  leaving  the  warehouse. 


Introduction 


Montana  Cash  is  the  Lottery's  statewide  on-line  lotto  game 
which  offers  players  a  chance  to  win  by  matching  five  numbers 
from  a  field  of  thirty-seven.  To  ensure  the  integrity  of  the 
Montana  Cash  drawing  and  that  the  numbers  are  randomly 
selected,  the  Lottery's  security  department  has  developed  draw- 
ing procedures  which  are  followed  during  each  drawing.   Five 
different  drawing  ball  sets  exist  and  procedures  require  drawing 
officials  to  randomly  select  two  ball  sets  for  the  drawing.  The 
ball  sets  used  to  conduct  Montana  Cash  drawings  consist  of  ping- 
pong  balls  which  are  numbered  from  one  through  thirty-seven. 
The  first  set  selected  is  considered  the  primary  ball  set  and  the 
other  is  the  secondary  ball  set.   Before  the  Montana  Cash  draw- 
ing takes  place,  drawing  officials  conduct  four  pretests  of  the 
primary  ball  set.   If  the  same  ball  is  selected  three  times,  a  fifth 
pretest  is  required.  If  this  ball  comes  up  again  during  this  test, 
the  ball  set  is  disqualified  and  is  replaced  with  the  secondary  ball 
set.  Disqualified  ball  sets  are  not  eligible  for  another  drawing 
until  tested  by  the  Weights  and  Measures  Bureau  of  the  Depart- 
ment of  Commerce. 
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Test  Documentation 
Supplied  by  Weights  and 
Measures  not  Evaluated 


During  our  security  audit  we  evaluated  the  Lottery  security 
department's  process  for  testing  disqualified  Montana  Cash  ball 
sets.  The  Weights  and  Measures  laboratory  provides  information 
regarding  how  much  the  total  weight  of  a  disqualified  ball  set 
has  changed  and  also  provides  documentation  indicating  the 
weights  of  each  individual  drawing  ball. 


We  found  that  although  Lottery's  security  department  can 
determine  if  the  weight  of  an  entire  ball  set  has  changed,  it  does 
not  have  a  process  for  monitoring  the  documentation  for  the 
individual  drawing  balls  to  determine  if  the  weight  for  the  balls 
has  changed.   When  test  results  are  received  from  Weights  and 
Measures  the  documentation  is  filed  away  and  nothing  more  is 
done  with  it.  In  addition,  the  security  department  has  not 
established  a  guideline  for  acceptable  weight  ranges  for  the 
drawing  balls. 


A  Weight  Guideline 
Should  be  Established 


The  test  conducted  by  Weights  and  Measures  includes  inspecting 
each  ball  for  roundness  and  weighing  each  ball  in  the  set.  The 
weighing  process  is  designed  to  determine  if  any  changes  have 
occurred  in  the  weight  of  the  drawing  balls  which  could  affect 
the  fairness  of  the  Montana  Cash  drawing. 


Officials  at  Weights  and  Measures  indicated  because  ping-pong 
balls  are  lightweight  plastic  the  weight  of  the  balls  could  change. 
A  variety  of  factors  could  cause  changes  in  the  weights  of  the 
drawing  balls  including,  barometric  pressure,  fingerprints,  dirt, 
and  abrasions. 

A  significant  change  in  the  weight  of  just  one  ball  in  a  ball  set 
could  affect  the  randomness  of  the  Montana  Cash  drawing  in 
which  the  ball  set  was  used.   A  random  drawing  is  important  to 
ensure  the  fairness  of  the  game  and  ensure  all  players  have  an 
equal  chance  of  winning.   By  monitoring  only  the  total  weight  of 
the  ball  set.  Lottery  security  officials  can  not  be  positive  the  ball 
set  will  ensure  a  random  drawing.   This  must  be  done  by  moni- 
toring the  individual  drawing  balls  in  the  ball  set.   However,  this 
determination  can  not  be  made  without  establishing  a  guideline 
on  the  acceptable  weight  range  for  the  drawing  balls.   Without 
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this  guideline  it  is  not  possible  to  make  an  accurate  determina- 
tion whether  or  not  the  weight  of  the  drawing  balls  has  changed 
too  much. 

Lottery  security  officials  told  us  they  will  begin  working  to 
establish  a  guideline  for  acceptable  weight  ranges  of  Montana 
Cash  drawing  balls.   Security  officials  also  agree  the  weight  of 
the  individual  drawing  balls  is  valuable  information  and  they 
will  monitor  the  weights  of  these  balls. 


Recommendation  #2 

We  recommend  the  Montana  Lottery: 

A.  Create  a  guideline  for  acceptable  weight  ranges  for 
Montana  Cash  drawing  balls. 

B.  Monitor  and  document  the  information  provided  by 
Weights  and  Measures  to  determine  if  weights  fall 
within  this  acceptable  weight  guideline. 
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Introdaction 


We  examined  security  controls  over  the  Lottery's  Stratus 
computer  system  and  the  Automated  Wagering  International 
(AWI)  computer  system.   Computer  security  controls  protect 
assets  and  limit  losses  from  three  types  of  basic  threats:  inten- 
tional acts  such  as  fraud  or  sabotage;  disasters  such  as  water  or 
fire  damage;  and  human  errors  and  omissions  such  as  data  entry 
errors.   During  our  audit  we  noted  several  weaknesses  in 
computer  security  controls  for  the  Stratus  and  AWI  computer 
systems.   The  following  sections  discuss  the  weaknesses  and 
improvements  which  should  be  made. 


Stratus  System  Physical 
and  Environmental 
Controls 


We  reviewed  the  Montana  Lottery's  computer  facility  to  evaluate 
physical  and  environmental  controls  over  the  Stratus  computer 
system.  These  controls  are  essential  to  protect  the  system  from 
potential  disasters  such  as  fire  or  water  damage.   During  the 
course  of  our  examination,  we  noted  the  following  areas  where 
the  Lottery  could  improve  environmental  controls  over  its 
computer  facility. 


Water  Lines  above  the 
Computer  Room 


A  sink  with  a  charged  water  line  is  located  directly  above  the 
computer  room.   If  this  line  were  to  break,  the  water  could  cause 
extensive  damage  to  the  Lottery's  computer  system.  This  would 
result  in  a  disruption  or  discontinuation  of  data  processing 
activities  until  repairs  were  made  or  replacement  parts  were 
installed.   A  properly  operating  computer  system  is  vital  to 
successful  lottery  operations. 


In  our  1989  security  audit  (87P-43A)  we  recommended  the 
Lottery  eliminate  the  flow  of  water  in  this  line.   Lottery  security 
officials  agreed  with  this  recommendation  and  the  water  was 
turned  off.   However,  security  officials  were  unaware  an 
employee  had  turned  the  water  back  on  until  we  notified  them 
during  this  audit.   An  employee  was  able  to  turn  the  water  back 
on  because  the  water  flow  was  not  eliminated  in  the  line. 
Instead,  it  was  turned  off  at  the  sink  which  allowed  the  water  to 
be  easily  turned  on  again.   In  addition,  turning  the  water  off  at 
the  sink  does  not  eliminate  the  water  in  the  line  located  above 
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the  computer  facility.   Consequently,  the  potential  still  exists 
that  the  line  could  break  and  water  could  damage  the  computer 
system. 

Water  lines  above  the  computer  room  should  either  be  moved  or 
the  flow  of  water  completely  eliminated.   Eliminating  the  flow 
of  water  should  include  completely  draining  the  pipes  and 
installing  a  locking  valve  which  prevents  employees  from  turning 
the  water  back  on. 

In  response  to  our  concern  Lottery  security  officials  installed  a 
shut  off  valve  away  from  the  computer  room.   Security  officials 
indicated  this  valve  eliminates  the  flow  of  water  before  it  gets 
above  the  computer  room.  Since  the  flow  of  water  could  be 
turned  back  on,  security  officials  should  seal  the  valve  to  ensure 
it  remains  closed. 


Recommendation  #3 

We  recommend  the  Montana  Lottery  eliminate  the  flow  of 
water  in  the  water  lines  above  the  computer  room. 


Fire  Extinguisher  and  The  computer  room  is  protected  from  fire  damage  through  an 

Smol(e  Alarm  Need  to  be  early  warning  smoke  alarm,  and  a  hand-held  halon  fire 

Tested  extinguisher.   During  our  review,  we  found  the  smoke  alarm  was 

not  included  in  regular  testing,  and  the  fire  extinguisher  testing 

was  past  due. 

Regularly  scheduled  testing  of  the  fire  detection  and  suppression 
devices  should  be  done  to  ensure  computer  equipment  is 
protected  from  fire  damage.   Lottery  security  officials  told  us 
they  overlooked  the  testing  of  both  the  smoke  alarm  and  the  fire 
extinguisher  located  in  the  computer  room. 

Over  the  years  additional  security  devices  have  been  installed  in 
the  Lottery  building.   Consequently,  there  are  more  devices  to 
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regularly  test.  This  increases  the  likelihood  a  device  may  be 
overlooked  and  not  tested.  Presently,  security  personnel  are  not 
utilizing  a  checklist  to  conduct  regular  tests  of  security  devices. 
A  checklist  would  help  ensure  all  devices,  including  the  smoke 
alarm  and  fire  extinguisher,  are  tested  regularly.  As  a  result  of 
our  findings.  Lottery  security  officials  told  us  they  will  develop 
a  checklist  to  aid  them  in  testing  all  security  devices. 


Recommendation  #4 

We  recommend  the  Montana  Lottery  develop  a  checklist  to 
assist  security  staff  in  testing  all  security  devices,  including 
the  smoke  alarm  and  fire  extinguisher. 


Stratus  System  Access 
and  Organizational 
Controls 


During  the  course  of  our  audit  we  reviewed  access  and  organiza- 
tional controls  over  the  Lottery's  Stratus  computer  system.  This 
review  included:  evaluating  user  access  provided  to  various 
computer  operations,  evaluating  the  Lottery's  disaster  recovery 
plan,  and  determining  the  level  of  internal  computer  security 
reviews  conducted  by  the  Lottery  to  ensure  security  exists  over 
its  computer  system.   We  noted  the  following  areas  where 
improvements  are  necessary  in  access  and  organizational 
controls. 


Retain  Documentation 
Supporting  Computer  Pro- 
gram Access 


Computer  programs  are  instructions  defining  operations  to  be 
performed  by  a  computer.  For  example,  the  Lottery's  instant 
ticket  inventory  is  monitored  utilizing  a  computer  program. 


Lottery  security  policies  and  procedures  require  all  requests  for 
computer  program  access  be  documented  utilizing  an  authorized 
"Request  for  Program  Access"  form.   This  form  is  to  be  approved 
by  both  the  department  head  for  which  the  employee  works  and 
the  security  department's  system  administrator.  Security  policies 
also  indicate  "no  access  will  be  honored  by  the  system  admini- 
strator without  the  benefit  of  the  completion  of  this  form." 
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We  reviewed  computer  program  access  requested  by  Lottery 
personnel  for  Stratus  operating  and  Instant  Lottery  System  (ILS) 
application  files.   We  found  "Request  for  Program  Access"  forms 
existed  for  access  requests  by  new  employees.   However,  these 
forms  generally  did  not  exist  in  those  cases  where  existing 
employees  requested  an  access  change  or  update  for  the  system. 
Lottery  security  officials  indicated  they  receive  these  forms 
prior  to  any  access  changes  or  updates.   However,  security 
personnel  told  us  they  do  not  retain  these  forms  once  the  access 
is  changed. 


Documentation  provides  evidence  as  to  why  computer  program 
access  changes  or  updates  were  made  and  who  requested  and 
approved  the  changes.   Without  this  documentation  there  is  no 
record  of  why  access  changes  were  made.  Later  in  our  report  we 
discuss  the  need  for  the  Lottery  to  improve  security  reviews  of 
its  computer  system.   Lack  of  this  documentation  would  reduce 
the  effectiveness  of  these  reviews  as  they  relate  to  employee 
access  to  computer  applications. 

Policies  and  procedures  should  include  the  retention  of  "Request 
for  Program  Access"  forms.   The  Lottery  should  require  these 
forms  accompany  all  access  changes  and  updates.   In  addition 
these  forms  should  be  retained  for  future  reference  in  accord- 
ance with  the  Lottery's  security  review  schedule  and  state 
records  retention  policies.   Lottery  officials  told  us  they  will 
retain  all  program  access  forms  in  the  future. 


Recommendation  #5 

We  recommend  the  Montana  Lottery  retain  documentation 
authorizing  access  to  Stratus  operating  and  ILS  application 
files. 


Page  30 


Chapter  IV  -  Computer  Security 


Reviews  of  ILS  Access 
Rights  Need  Improving 


Lottery  employee  access  to  the  Stratus  computer  system  should 
be  limited  to  data  files  and  programs  needed  in  the  performance 
of  their  duties.   We  reviewed  ILS  system  access  rights  granted  to 
Montana  Lottery  employees.   Based  upon  interviews  with 
Lottery  employees  and  reviews  of  their  position  descriptions,  we 
found  three  employees  with  unnecessary  access  rights  to  ILS 
applications.   All  three  employees  had  the  ability  to  sell  packs  of 
instant  tickets  to  walk-in  retailer  customers.   Job  duties  for  these 
individuals  did  not  require  access  to  these  applications. 

Access  to  data  files  and  programs  in  excess  of  job  duties 
provides  opportunity  for  unauthorized  manipulation  of  ILS  data. 
For  example,  the  potential  exists  for  ticket  sales  and  payment 
information  to  be  modified  without  authorization.   Lottery 
security  personnel  indicated  they  periodically  review  access 
rights  from  system  generated  documentation  and  these  cases  of 
improper  employee  access  rights  were  an  oversight.   However, 
security  personnel  also  told  us  they  have  no  system  for 
conducting  these  reviews  and  perform  them  when  they  find  time 
or  see  a  need.  Since  security  personnel  do  not  document  these 
reviews  we  were  unable  to  determine  if  reviews  are  being 
completed. 

The  security  department  should  establish  a  system  for  reviewing 
employee  access  privileges.  These  reviews  should  also  be 
documented  as  they  are  completed.   Documentation  of  review 
results  would  provide  indication  of  any  problem  areas  found  and 
what  was  done  to  address  these  problems.   Documentation  would 
also  provide  assurance  to  Lottery  management  the  reviews  are 
completed  and  problems  corrected. 
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Recommendation  #6 

We  recommend  the  Montana  Lottery: 

A.  Establish  a  system  for  reviewing  employee  access 
privileges  to  ILS  applications  and  document  these 
reviews. 

B.  Revoke  the  access  privileges  to  ILS  applications  for 
those  users  not  requiring  it  in  the  performance  of  their 
job  duties. 


Develop  a  Disaster  Backup  and  recovery  planning  consists  of  those  activities  under- 

Recovery  Plan  for  the  taken  in  anticipation  of  circumstances  which  could  result  in 

Stratus  System  complete  or  partial  shutdown  of  the  Lottery's  Stratus  computer 

system.   Examples  include  fire,  flood,  earthquake,  and 

vandalism. 

Although  the  Lottery  does  store  backup  data  off-site,  it  does  not 
have  a  formal,  tested  backup  and  disaster  recovery  plan  or  an 
alternate  site  agreement  for  the  Stratus  system.   Without  a 
disaster  recovery  plan  or  alternate  site  agreement,  a  major 
disruption  in  computer  operations  could  adversely  affect  Lottery 
operations  resulting  in  loss  of  data,  assets  and  revenue,  or 
processing  delays.   Additionally,  the  public  could  lose  confidence 
in  the  Lottery  if  a  computer  failure  resulted  in  the  public  not 
being  able  to  purchase  Lottery  tickets  or  redeem  winning  tickets 
for  any  significant  length  of  time. 

We  first  addressed  this  issue  during  our  1989  security  audit.  The 
Lottery  indicated  they  would  have  a  disaster  recovery  plan  in 
place  by  December  1989.   In  our  1991  audit,  we  found  the  plan 
had  progressed  and  believed  it  would  soon  be  in  place. 
However,  very  little  progress  has  been  made  since  that  time. 
Lottery  personnel  indicated  other  matters  took  priority  over  the 
disaster  recovery  plan  and  it  was  put  on  hold.   Security  officials 
told  us  they  have  been  discussing  equipment  replacement 
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agreements  with  Stratus  Computer  Inc.  and  testing  backup 
possibilities.  The  Lottery  will  need  to  utilize  a  backup  facility 
other  than  the  one  used  by  the  state  of  Montana.  The  state's 
backup  facility  is  not  compatible  with  the  Stratus  system. 

Backup  and  recovery  capabilities  should  be  sufficient  for  timely 
restoration  of  files  and  applications  when  loss  or  damage  to  data 
occurs.   Disaster  recovery  plans  should  also  include  alternate  site 
or  equipment  replacement  agreements.  Such  an  agreement  would 
provide  backup  equipment  options  for  the  Stratus  computer 
system. 


Recommendation  #7 

We  recommend  the  Montana  Lottery  develop  a  formal, 
tested  backup  and  recovery  plan  that  includes  an  alternate 
site  or  equipment  replacement  agreement. 


Lottery  Retailer  Filing 
and  Data  Input 
Procednres 


Introduction 


We  reviewed  the  accuracy  of  retailer  information  found  on  the 
Lottery's  computer  system  by  comparing  retailer  information 
found  on  the  computer  system  to  the  supporting  documentation 
maintained  in  the  hard  copy  retailer  files.  The  security 
department  maintains  retailer  files  which  contain  hard  copy 
documentation  for  information  input  into  the  system.   During 
our  review,  we  identified  areas  where  the  Lottery  could  improve 
its  procedures  for  maintaining  supporting  documentation  and 
inputing  retailer  information  into  its  computer  system.   The 
following  sections  discuss  our  concerns  and  those  improvements 
that  should  be  made. 
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Supporting  Documentation 
Missing  from  Retailer 
Files 


Lottery  policy  requires  specific  forms  and  information  be 
contained  in  the  hard  copy  retailer  files  prior  to  issuance  of  a 
license  to  a  retailer  to  sell  Lottery  tickets.  These  forms  are  used 
to  gather  information  on  the  retailer  such  as  name,  address, 
phone  number,  and  Electronic  Funds  Transfer  (EFT)  account 
number.   An  EFT  account  number  is  the  bank  account  through 
which  a  retailer  pays  by  electronic  transfer  for  Lottery  tickets 
the  retailer  has  purchased. 


Of  22  retailer  files  tested,  19  (86  percent)  did  not  contain  all 
hard  copy  information  required  by  Lottery  policy.   Conse- 
quently, we  were  not  able  to  determine  if  the  information  on  the 
system  is  accurate.   We  also  noted  several  instances  where 
changes  were  made  to  retailer  information  on  the  computer 
system.   However,  in  most  cases  the  retailer  files  did  not  contain 
the  required  authorized  documentation  supporting  these  changes. 
Therefore,  when  we  found  information  on  the  computer  system 
not  matching  the  information  in  the  retailer  files,  we  were 
unable  to  determine  which  was  correct. 


Retailer  Information  on 
Computer  System  is 
Incorrect 


In  those  cases  where  documentation  was  in  the  retailer  files,  we 
found  instances  where  information  on  the  computer  system  did 
not  match  the  supporting  documentation.  Information  we  found 
which  was  incorrect  on  the  computer  system  included:  retailer 
names,  phone  numbers,  and  addresses;  tax  ID  numbers;  and 
lottery  regional  numbers.   In  addition,  we  found  two  retailers 
who  were  terminated  but  were  still  shown  as  active  on  the 
system. 


Security  Staff  Should 
Review  Retailer  Files 


The  security  department  is  responsible  for  the  accuracy  and 
completeness  of  the  hard  copy  retailer  files.   Security  department 
policies  require  the  security  director  or  investigator  to  review 
retailer  files  prior  to  issuing  a  license.   However,  we  found  no 
evidence  of  such  a  review.   Additionally,  we  noted  security 
policies  do  not  require  security  officials  to  review  and  approve 
changes/updates  made  to  retailer  files  or  approve  changes  made 
on  the  computer  system.  Changes  can  be  made  by  the  Lottery 
for  instant  and  on-line  lotto  games  and  by  AWI  for  on-line  lotto 
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games.  These  changes  can  be  made  without  notifying  security 
personnel  or  obtaining  their  approval.   Many  of  these  problems 
would  have  been  avoided  if  security  personnel  conducted  more 
detailed  reviews  of  retailer  files  and  retailer  information  on  the 
computer  system. 

Establishing  policies  requiring  security  personnel  to  review 
retailer  files  and  retailer  information  on  the  computer  system 
would  help  ensure  the  accuracy  of  this  information.   This  should 
include  reviewing  and  approving  all  changes  and  updates  to  the 
files  to  ensure  all  documentation  is  placed  in  the  files.  Since  we 
found  several  files  where  information  was  either  incorrect  or 
missing  it  is  important  for  the  Lottery  to  also  conduct  periodic 
reviews  of  retailer  files  and  retailer  information  found  on  the 
computer  system.  This  would  help  identify  files  that  are  out- 
dated, incomplete,  or  inaccurate. 


Recommendation  #8 

We  recommend  the  Montana  Lottery: 

A.  Perform  a  review  of  hard  copy  retailer  license  files 
prior  to  license  issuance  in  accordance  witli  internal 
security  policies. 

B.  Establish  a  policy  for  centralized  review  of  all  changes 
to  hard  copy  retailer  files  and  information  on  the 
computer  system. 

C.  Review  existing  hard  copy  retailer  files  and  computer 
information  for  accuracy. 


Computer  Security 
Reviews  Should  be 
Performed 


Section  2-15-114,  MCA,  specifies  state  agencies  are  responsible 
for  ensuring  security  for  all  their  data  and  information 
technology  resources.   Furthermore,  this  law  requires  the 
implementation  of  appropriate  cost-effective  safeguards  to 
reduce,  eliminate,  or  recover  from  identified  threats  to  data  and 
resources.  The  statute  also  requires  state  agencies  ensure  internal 
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Supporting  Documentation 
Missing  from  Retailer 
Files 


Lottery  policy  requires  specific  forms  and  information  be 
contained  in  the  hard  copy  retailer  files  prior  to  issuance  of  a 
license  to  a  retailer  to  sell  Lottery  tickets.   These  forms  are  used 
to  gather  information  on  the  retailer  such  as  name,  address, 
phone  number,  and  Electronic  Funds  Transfer  (EFT)  account 
number.   An  EFT  account  number  is  the  bank  account  through 
which  a  retailer  pays  by  electronic  transfer  for  Lottery  tickets 
the  retailer  has  purchased. 


Of  22  retailer  files  tested,  19  (86  percent)  did  not  contain  all 
hard  copy  information  required  by  Lottery  policy.   Conse- 
quently, we  were  not  able  to  determine  if  the  information  on  the 
system  is  accurate.   We  also  noted  several  instances  where 
changes  were  made  to  retailer  information  on  the  computer 
system.   However,  in  most  cases  the  retailer  files  did  not  contain 
the  required  authorized  documentation  supporting  these  changes. 
Therefore,  when  we  found  information  on  the  computer  system 
not  matching  the  information  in  the  retailer  files,  we  were 
unable  to  determine  which  was  correct. 


Retailer  Information  on 
Computer  System  is 
Incorrect 


In  those  cases  where  documentation  was  in  the  retailer  files,  we 
found  instances  where  information  on  the  computer  system  did 
not  match  the  supporting  documentation.   Information  we  found 
which  was  incorrect  on  the  computer  system  included:  retailer 
names,  phone  numbers,  and  addresses;  tax  ID  numbers;  and 
lottery  regional  numbers.   In  addition,  we  found  two  retailers 
who  were  terminated  but  were  still  shown  as  active  on  the 
system. 


Security  Staff  Should 
Review  Retailer  Files 


The  security  department  is  responsible  for  the  accuracy  and 
completeness  of  the  hard  copy  retailer  files.   Security  department 
policies  require  the  security  director  or  investigator  to  review 
retailer  files  prior  to  issuing  a  license.   However,  we  found  no 
evidence  of  such  a  review.   Additionally,  we  noted  security 
policies  do  not  require  security  officials  to  review  and  approve 
changes/updates  made  to  retailer  files  or  approve  changes  made 
on  the  computer  system.   Changes  can  be  made  by  the  Lottery 
for  instant  and  on-line  lotto  games  and  by  AWI  for  on-line  lotto 
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games.  These  changes  can  be  made  without  notifying  security 
personnel  or  obtaining  their  approval.   Many  of  these  problems 
would  have  been  avoided  if  security  personnel  conducted  more 
detailed  reviews  of  retailer  files  and  retailer  information  on  the 
computer  system. 

Establishing  policies  requiring  security  personnel  to  review 
retailer  files  and  retailer  information  on  the  computer  system 
would  help  ensure  the  accuracy  of  this  information.   This  should 
include  reviewing  and  approving  all  changes  and  updates  to  the 
files  to  ensure  all  documentation  is  placed  in  the  files.   Since  we 
found  several  files  where  information  was  either  incorrect  or 
missing  it  is  important  for  the  Lottery  to  also  conduct  periodic 
reviews  of  retailer  files  and  retailer  information  found  on  the 
computer  system.  This  would  help  identify  files  that  are  out- 
dated, incomplete,  or  inaccurate. 


Recommendation  #8 

We  recommend  the  Montana  Lottery: 

A.  Perform  a  review  of  hard  copy  retailer  license  files 
prior  to  license  issuance  in  accordance  with  internal 
security  policies. 

B.  Establish  a  policy  for  centralized  review  of  all  changes 
to  hard  copy  retailer  files  and  information  on  the 
computer  system. 

C.  Review  existing  hard  copy  retailer  files  and  computer 
information  for  accuracy. 


Computer  Security 
Reviews  Should  be 
Performed 


Section  2-15-114,  MCA,  specifies  state  agencies  are  responsible 
for  ensuring  security  for  all  their  data  and  information 
technology  resources.   Furthermore,  this  law  requires  the 
implementation  of  appropriate  cost-effective  safeguards  to 
reduce,  eliminate,  or  recover  from  identified  threats  to  data  and 
resources.  The  statute  also  requires  state  agencies  ensure  internal 
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We  noted  the  following  improvements  are  necessary  in  general 
controls  over  AWI's  computer  system  as  they  relate  to  Montana 
Lottery  operations. 


AWI  Disaster  Recovery 
Plan  Should  Include  the 
Montana  Lottery 


As  discussed  previously  on  page  32,  backup  and  recovery 
planning  is  critical  to  Lottery  operations.   We  reviewed  AWI's 
disaster  recovery  plan  and  found  no  mention  of  the  Montana 
Lottery  as  part  of  the  plan.   Instead,  the  plan  relates  specifically 
to  the  Washington  State  Lottery  Program.   For  example,  the  plan 
lists  people  to  contact  from  the  Washington  State  Lottery  and 
procedures  for  these  people  to  follow  in  the  event  of  a  disaster 
situation.  The  entire  plan  only  addresses  how  to  maintain 
Washington  State  Lottery  operations  in  the  event  of  a  disaster. 
The  plan  does  not  include  any  contacts  from  the  Montana 
Lottery.  The  plan  also  does  not  address  how  to  minimize  the 
effects  on  Montana  Lottery  operations  in  the  event  of  a  disaster. 
AWI  security  personnel  indicated  the  Montana  Lottery  is 
assumed  to  be  part  of  the  plan,  but  the  wording  of  the  plan  does 
not  indicate  this. 


Since  the  Montana  Lottery  is  not  included  in  AWI's  disaster 
recovery  plan,  there  is  less  assurance  the  Lottery  would  be 
included  in  any  disaster  recovery  efforts  undertaken  by  AWI.   At 
the  very  least,  disaster  recovery  efforts  for  Montana  could  be 
delayed  by  not  including  the  Lottery  in  the  plan.  Therefore,  the 
Montana  Lottery  should  be  specifically  included  in  AWI's 
disaster  recovery  plan. 


Disaster  Recovery  Plan 
Needs  Alternate  Site 
Agreement 


While  reviewing  AWI's  disaster  recovery  plan,  we  also  noted  it 
does  not  include  a  formal  agreement  for  a  specific  alternate  site 
for  computer  operations  to  resume  in  the  event  of  a  disaster. 
Wording  in  the  plan  regarding  an  alternate  site  is  vague,  stating 
only  that ".  .  .steps  will  be  taken  immediately  to  establish  a 
replacement  data  center." 


Not  having  a  specific  site  designated  as  an  alternate  site  for 
computer  operations  to  resume  does  not  provide  assurance 
Montana's  on-line  Lotto  games  would  be  restored  by  AWI  on  a 
timely  basis.   Any  downtime  in  AWI's  computer  system  would 
result  in  the  Lottery  not  being  able  to  sell  or  redeem  Powerball 
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or  Montana  Cash  tickets.  The  Lottery  would  experience  a  loss  of 
revenue  and  a  possible  loss  of  public  trust  for  these  games. 

AWI  has  different  options  for  alternate  sites  such  as  using  its 
facilities  located  in  Minnesota  or  establishing  a  site  in  Olympia 
and  shipping  replacement  equipment  to  that  site.   AWI  should 
have  a  formal  agreement  designating  a  specific  backup  site  in  the 
event  its  main  computer  operations  shut  down.   Any  site  selected 
should  have  backup  and  recovery  capabilities  sufficient  to 
restore  files  and  applications  when  loss  or  damage  occurs. 


Summary  Lottery  security  officials  told  us  they  attended  a  two  day  meet- 

ing with  AWI  and  Washington  State  Lottery  officials  to  draft  the 
disaster  recovery  plan.   Consequently,  they  are  not  sure  why 
information  specific  to  Montana  Lottery  operations  were 
excluded  from  the  plan. 

AWI  has  the  foundation  for  an  effective  disaster  recovery 
system.   AWI  personnel  overlooked  the  Montana  Lottery  when 
drafting  the  plan  and  choosing  an  alternate  facility.   As  a  result 
of  our  concerns,  AWI  officials  indicated  they  will  begin 
integrating  Montana  into  the  disaster  recovery  plan.   They  also 
indicated  alternate  facilities  are  now  being  explored  and 
agreements  will  be  established  when  a  site  is  found. 


Recommendation  #10 

We  recommend  the  Montana  Lottery  require: 

A.  The  AWI  disaster  recovery  plan  include  Montana 
Lottery  operations. 

B.  The  AWI  disaster  recovery  plan  include  a  formal 
agreement  for  establishing  an  alternate  computer 
facility. 
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On-Line  Management 
Terminal  Access  Rights 
are  not  Approved  and 
Reviewed 


The  On-line  Management  Terminal  (OLMT)  system  allows  direct 
communication  between  the  Montana  Lottery  and  AWI's 
computer  system  located  in  Olympia,  Washington.   We  reviewed 
the  OLMT  system  access  rights  granted  to  Montana  Lottery  and 
AWI  personnel.   We  found  nine  AWI  employees  with  access 
rights  to  OLMT  applications  beyond  the  requirements  of  their 
position  descriptions.   Two  AWI  personnel  had  the  ability  to 
update  retailer  files,  and  seven  had  the  ability  to  give  cash 
advances  to  retailers  and  make  retailer  adjustments.   In  addition, 
all  nine  employees  had  the  ability  to  update  on-line  lotto  game 
files.   AWI  security  officials  agreed  job  duties  for  these 
employees  do  not  require  access  to  those  applications. 


Access  rights  to  applications  in  excess  of  job  duties  increases  the 
potential  for  manipulation  of  OLMT  retailer  files  and  unauthor- 
ized changes  to  the  game  files.   We  found  there  are  no  policies 
and  procedures  requiring  Montana  Lottery  security  officials  to 
approve  all  access  rights  to  OLMT  applications  as  they  relate  to 
Montana  Lottery  operations.  Currently,  AWI  security  personnel 
authorize  access  rights  to  their  personnel  and  Montana  Lottery 
security  officials  approve  and  give  access  rights  to  Lottery 
employees.   No  process  exists  for  Montana  Lottery  security 
officials  to  approve  access  rights  to  OLMT  applications  for  AWI 
employees  based  on  the  requirements  of  their  position  descrip- 
tion. There  are  also  no  policies  and  procedures  for  periodically 
reviewing  access  rights  to  OLMT  applications.  There  should  be 
a  schedule  for  reviewing  OLMT  access  rights  and  these  reviews 
should  be  documented. 

State  law  (section  23-7-212,  MCA)  gives  the  Lottery's  security 
department  the  responsibility  for  ensuring  the  overall  security  of 
the  Lottery.   Therefore,  all  OLMT  access  rights  for  AWI 
employees  should  be  approved  by  Lottery  security  personnel 
based  on  the  requirements  of  the  position  description  for  these 
employees.   Additionally,  security  personnel  should  also  periodi- 
cally review  the  access. 
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Recommendation  #11 

We  recommend  the  Montana  Lottery: 

A.  Approve  AWI  employee  access  rights  to  Lottery  OLMT 
applications  based  on  the  requirements  of  employee 
position  descriptions. 

B.  Review  the  reasonableness  of  OLMT  access  on  a 
periodic  basis. 


External  Evaluations  of 
AWI's  Computer  System 


As  part  of  our  on-site  review  of  controls  over  AWI's  computer 
system  we  determined  if  any  external  control  evaluations  are 
completed  which  ensure  continued  security  over  the  system. 
During  our  review,  we  found  the  Montana  Lottery  is  not 
conducting  or  requiring  an  external  review  of  AWI's  computer 
operations  as  they  relate  to  Montana  Lottery  operations. 


On-Line  Revenues  Dictate 
Periodic  Reviews 


In  the  last  two  fiscal  years  on-line  lotto  games  for  the  Montana 
Lottery  earned  a  total  of  $46.3  million.   This  is  approximately 
70  percent  of  total  Lottery  revenue  over  this  time  period. 
Therefore,  it  is  important  the  Lottery  ensure  the  computer 
system  at  AWI  remain  secure  from  any  possible  security  viola- 
tions whether  accidental  or  intentional.  The  most  effective  way 
of  doing  this  is  through  an  external  evaluation  process  directed 
by  the  Montana  Lottery. 


Periodic  external  evaluations  of  AWI  have  not  been  performed 
because  the  Lottery  officials  believe  AWI  is  a  "professional, 
security  conscious  organization."   While  we  do  not  question  the 
professionalism  or  security  consciousness  of  AWI,   we  have 
identified  security  weaknesses  which  require  improvement  in 
some  areas  of  their  computer  operations  relating  to  the  Montana 
Lottery.  These  weaknesses  occurred  as  a  result  of  Montana 
Lottery  security  officials  not  formally  monitoring  AWI  computer 
operations  as  they  relate  to  the  Montana  Lottery. 
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External  Reviews  Could 
Eliminate  Control  Weak- 
nesses 


Section  23-7-212,  MCA,  sets  forth  the  director  of  security's 
responsibility  for  ensuring  the  security  over  the  Montana  Lottery 
and  its  games.  This  law  requires  the  director  of  security  to 
ensure  the  ".  .  .security,  honesty,  fairness,  and  integrity  in  the 
operation  and  administration  of  the  lottery.  .  ."  Since  the 
operation  of  the  Lottery  includes  three  on-line  lotto  games 
which  rely  upon  AWI's  computer  system,  the  director  of  security 
should  require  periodic  external  reviews  of  the  system  to  ensure 
the  system  remains  secure. 


It  is  important  this  review  be  performed  by  an  individual  or 
entity  not  employed  by  AWI  to  ensure  independence.   This 
means  the  director  of  security  could  perform  the  review  or 
require  AWI  to  hire  an  independent  firm  to  conduct  the  review. 
The  Washington  State  Lottery  periodically  performs  a  security 
review  of  AWI's  computer  system  as  it  relates  to  the  Washington 
State  Lottery.  The  Montana  Lottery  may  be  able  to  coordinate 
with  them  to  do  a  combined  review.  The  Lottery's  director  of 
security  would  be  ultimately  responsible  for  ensuring  the 
completeness  of  any  review  which  was  conducted. 

Lottery  security  officials  conduct  periodic  evaluations  of  the 
company  which  prints  its  instant  tickets  in  order  to  review  the 
security  over  its  operations.   We  believe  the  Lottery  should  do 
the  same  for  AWI  since  they  provide  the  services  for  the  on-line 
lotto  games  which  constitute  the  majority  of  the  Lottery's 
revenues. 


Recommendation  #12 

We  recommend  the  Montana  Lottery  establish  an  external 
evaluation  process  to  ensure  the  security  of  AWI's  computer 
system. 
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Computer  Security 
Trainijig 


Computer  systems  are  the  center  of  Montana  Lottery  operations. 
Everything  the  Lottery  does  associated  with  its  instant  and  on- 
line lotto  games  relies  upon  the  secure  operation  of  a  computer 
system.  Instant  games  rely  upon  the  Lottery's  Stratus  system  and 
on-line  lotto  games  rely  upon  AWI's  computer  system  located  in 
Olympia,  Washington.   Consequently,  it  is  important  for  Lottery 
security  personnel  to  ensure  there  is  appropriate  security  over 
both  these  systems.  Security  personnel  should  be  trained  in 
order  to  monitor  the  security  over  these  systems  and  identify  any 
security  violations  which  may  occur. 


Security  Personnel  have 
Received  Limited 
Computer  Security 
Training 


The  director  of  security  and  the  investigator  have  been 
responsible  for  the  security  over  Lottery  operations,  including 
computer  security,  since  the  Lottery's  inception  in  1987.   How- 
ever, we  found  these  individuals  have  received  a  minimal 
amount  of  training  related  to  computer  security  even  though 
their  position  descriptions  require  an  understanding  of  computer 
security.  The  director  of  security  has  attended  only  one 
computer  security  training  session  and  the  investigator  has  never 
received  training  related  to  computer  security. 


Section  23-7-212,  MCA,  reflects  the  importance  of  having 
security  personnel  who  are  well-trained  in  all  areas  of  Lottery 
security.  This  law  delegates  the  responsibility  for  ensuring  the 
security  over  the  operation  of  the  Lottery  to  the  security  depart- 
ment.  This  law  also  requires  the  director  of  security  to  be 
knowledgeable  in  computer  security  and  be  qualified  by  experi- 
ence and  training.   Additionally,  the  director  of  security  has 
designated  the  investigator  as  the  system  administrator  over  the 
Lottery's  computer  system.  The  responsibilities  of  a  system 
administrator  include  monitoring  the  system  for  potential 
security  violations  and  approving  employee  access  to  the  system. 
Therefore,  it  is  also  essential  the  investigator  have  appropriate 
knowledge  of  computer  security  requirements  through 
appropriate  computer  security  training. 
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Lack  of  Training  a 
Recurring  Concern 


Both  our  1989  and  1991  security  audits  identified  computer 
security  as  the  major  concern  in  Lottery  security  operations. 
Our  1991  security  audit  (90P-28A)  recommended  the  Lottery 
develop  and  implement  an  appropriate  training  plan  and  program 
for  security-related  personnel.   This  recommendation  was 
designed  to  make  computer  security  training  a  priority  of 
Lottery  management.   The  Lottery  has  not  yet  formally 
developed  or  implemented  a  computer  security  training  plan  or 
program  for  security  personnel. 


Lottery  management  has  established  two  goals  and  objectives 
which  relate  directly  to  its  employees  and  the  security  of  its 
games.   One  goal  aims  to  improve  employee  job  performance  and 
the  other  is  to  maintain  the  security  of  the  Lottery.  These  goals 
and  objectives  indicate  Lottery  management  is  aware  of  the 
importance  of  training  and  a  secure  Lottery.   We  believe 
providing  security  personnel  with  additional  computer  security 
training  would  help  the  Lottery  meet  these  goals.   We  also 
believe  training  would  help  the  Lottery  maintain  security  over  its 
computer  system. 


Summary 


Since  Lottery  operations  are  so  dependent  upon  computer 
systems,  it  is  important  for  security  personnel  to  fully 
understand  computer  security.  This  can  only  occur  through 
proper  training  of  security  personnel  and  continuous  use  of  the 
skills  learned.   It  is  important  for  the  Lottery  to  be  proactive 
instead  of  reactive  in  the  area  of  computer  security.   This 
includes  ensuring  security  personnel  receive  computer  security- 
related  training.  Security  personnel  must  be  able  to  identify 
potential  problems  before  these  problems  could  adversely  affect 
Lottery  operations.   A  better  understanding  of  computer  security 
would  have  helped  security  personnel  identify  the  security 
weaknesses  we  identified.   This  understanding  could  also  help 
security  personnel  improve  the  administration  of  the  data 
processing  security  group  by  focusing  the  groups  attention  on 
computer  security  issues. 


Developing  and  implementing  a  training  plan  and  program 
would  help  the  Lottery  design  the  most  efficient  means  of 
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providing  computer  security  training  to  security  personnel. 
Training  plans  should  include  the  goals  the  Lottery  wishes  to 
attain  and  the  types  of  training  which  may  help  the  Lottery 
achieve  these  goals.  Training  programs  should  include  the  basics 
of  electronic  data  processing  and  more  specific  computer 
security  training  so  security  staff  understand  computer  opera- 
tions and  security  measures  necessary  to  properly  protect  the 
Lottery's  resources. 


Recommendation  #13 

We  recommend  the  Montana  Lottery  establish  and  imple- 
ment a  computer  security  training  plan  and  program  for 
security  personnel. 
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Charmalne  D.  Murphy,  Director  ^■v^a**.*^*.  j  Marc  Racicot.  Goverr^or 


March  31,    1994 


Joe  F .  Murray- 
Senior  Performance  Auditor 
Office  of  the  Legislative  Auditor 
State  Capitol 
Helena,  MT   59620 

Dear  Joe, 

Thank  you  for  the  opportunity  to  respond  to  the  final 
report  on  Montana  Lottery  Security. 

In  general,  the  Montana  Lottery  agrees  with  the  audit 
findings  and  recommendations.  In  several  areas  the  Lottery 
has  taken  action  to  correct  problems  which  became  apparent 
during  that  audit  time  period.  In  those  areas  it  is  our 
desire  to  maintain  the  controls  we  have  already  put  into 
place.  In  other  instances  it  became  apparent  that  new 
guidelines  were  needed.  Finally,  through  the  audit 
process,  we  found  areas  where  strengthening  of  existing 
policies  and  practices  are  needed. 


The  following  is  our  response  to  specific 
recommendations  of  your  audit  team. 

Reconmendation  #1 

We  recommend  the  Montana  Lottery: 

A.  Maintain  the  control  system  which  limits 
warehouse  access  to  authorized  employees. 

B.  Enforce  the  requirement  all  non- security  and 
non-warehouse  personnel  sign  the  access  log 
when  entering  and  leaving  the  warehouse. 

We  concur  with  both  of  your  recommendations.  These 
recommendations  involve  a  correction  which  took  place 
during  the  audit.  We  believe  that  our  practice  as  it 
currently  exists  fully  satisfies  what  you  intended  in  the 
recommendation. 
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Recommendation  #2 


A.  Create  a  guideline  for  acceptable  weight 
ranges  for  Montana  Cash  drawing  balls. 

We  concur  with  your  recoiranendation  to  create  a  guideline 
for  acceptable  weight  ranges  for  Montana  Cash  drawing 
balls.  We  will  develop  the  guideline  and  have  it  in 
operation  by  July,  1994. 

B.  Monitor  and  document  the  information  provided 
by  Weights  and  Measures  to  determine  if 
weights  fall  within  this  acceptable  weight 
guideline. 

We  concur  with  your  recommendation  and  will  monitor 
and  document  the  Weights  and  Measures  information  based  on 
the  guidelines  which  we  will  have  in  place  by  July,  1994. 

Recommendation  #3 

We  recommend  the  Montana  Lottery  eliminate  the  flow  of 
water  in  the  water  lines  above  the  computer  room. 

We  concur  with  your  recommendation.  We  have  installed 
a  shut  off  valve  well  away  from  the  computer  area.  This 
valve  could  not  be  located  in  a  secure  area  because  it 
would  have  stopped  water  flow  to  a  drinking  fountain  in 
the  office  area.  The  valve  is  sealed  to  prevent  opening 
and  to  detect  tampering. 

Recommendation  #4 

We  recommend  the  Montana  Lottery  develop  a  checklist  to 
assist  security  in  testing  all  security  devices, 
including  the  smoke  alarm  and  fire  extinguisher. 

We  concur  with  your  recommendation.  We  have  developed 
a  checklist  of  all  security  related  devices.  We  began 
using  that  form  as  a  guide  in  our  January  1994  equipment 
survey . 

Recommendation  #5 

We  recommend  the  Montana  Lottery  retain  documentation 
authorizing  access  to  Stratus  operating  and  ILS 
application  files. 

We  concur  with  your  recommendation.   Through  the  audit 
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we  recognized  the  need  for  the  retention  of  the 
authorization  forms  and  we  are  now  keeping  this  form  as 
documentation . 


Recoimnendation  #6 

We  recommend  the  Montana  Lottery: 

A.  Estedslish  a  system  for  reviewing  employee 
access  privileges  to  ILS  applications  and 
document  these  reviews. 

We  concur  with  your  recommendation.  We  currently  review 
employee  access  privileges  when  employees  leave  or  changes 
occur  that  make  it  apparent  that  a  review  is  necessary. 
We  will  establish  a  system  to  continue  the  reviews  we 
currently  perform  and  to  review,  at  specific  intervals, 
our  employee  access  privileges  and  document  these  reviews. 
This  will  be  in  place  by  July  of  1994. 

B.  Revoke  the  access  privileges  to  ILS 
application  for  those  users  not  requiring  it 
in  the  performance  of  their  job  duties. 

We  concur  with  your  recommendation.  The  access 
privileges  not  needed  in  the  performance  of  duties  have 
been  removed.  We  add  that  these  accesses  were  not  given 
indiscriminately.  The  practices  and  responsibilities  have 
changed  and  this  allows  us  to  remove  the  questioned  access. 

Recommendation  #7 

We  recommend  the  Montana  Lottery  develop  a  formal, 
tested  backup  and  recovery  plan  that  includes  an 
alternate  site  or  equipment  replacement  agreement. 

We  concur  with  your  recommendation.  We  will  have  a 
disaster  recovery  plan  including  an  alternate  site 
agreement  in  place  by  March,  1995. 

Recommendation  #8 

We  recommend  the  Montana  Lottery: 

A.  Perform  a  review  of  hard  copy  retailer  license 
files  prior  to  license  issuance  in  accordance 
with  internal  security  policies. 
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B.  Establish  a  policy  for  centralized  review  of 
all  changes  to  hard  copy  retailer  files  and 
information  on  the  computer  system. 

C.  Review  existing  hard  copy  retailer  files  and 
computer  information  for  accuracy. 

We  concur  with  recommendations  A,  B,  &  C.  We  have 
completed  a  check  list  which  documents  the  hard  copy  review 
of  retailer  license  files.  By  December,  1994  we  will 
review  all  existing  hard  copy  files,  updating  information 
for  accuracy.  Within  the  same  time  period  a  policy  of 
review  of  changes  to  the  hard  copy  and  the  system  will  be 
accomplished. 

Recommendation  #9 

We  recommend  the  Montana  Lottery  develop  for  the  data 
processing  security  group: 

A.  A  mission  and  specific  goals  and  objectives 
for  conducting  an  on- going  comprehensive 
security  review  of  the  computer  system. 

B.  A  written  plan  on  how  to  meet  the  mission  and 
goals  and  objectives. 

We  concur  with  your  recommendations.  We  will  develop 
a  mission  statement  and  specific  goals  and  objectives  along 
with  a  plan  to  meet  the  mission  and  goals  and  objectives. 
This  will  be  completed  by  September  of  1994. 

Recommendation  #10 

We  recommend  the  Montana  Lottery  require: 

A.  The  AWI  disaster  recovery  plan  include  Montana 
Lottery  operations. 

We  concur  with  your  recommendation.  In  talking  with 
the  AWI  Olympia  project  manager,  I  was  informed  that  he 
believes  the  plan  is  complete.  The  person  doing  the  final 
review  of  the  plan  is  out  of  state  and  unavailable.  To  be 
sure  that  all  is  correct  in  the  review  process,  AWI  asked 
until  May  of  1994  for  completion. 

B.  The  AWI  disaster  recovery  plan  include  a 
formal  agreement  for  establishing  an  alternate 

p  computer  facility. 


Joe  F .  Murray 

Office  of  the  Legislative  Auditor 

Page  5 


We  concur  with  your  recoirunendation.  In  talking  with 
the  AWI  Olympia  project  manager,  I  was  told  that  they  have 
looked  at  several  options  for  an  alternate  facility  in  case 
of  disaster.  AWI  is  now  part  of  a  strategic  partnership 
with  Electronic  Date  Systems,  Inc..  EDS  has  several 
offices  in  the  Seattle  area.  AWI  is  now  looking  for 
facilities  through  EDS  to  meet  their  needs.  AWI  believes 
they  can  have  a  formal  agreement  by  August,  1994. 

Recommendation  #11 

We  recommend  the  Montana  Lottery: 

A.  Approve  AWI  employee  access  rights  to  Lottery 
OLMT  applications  based  on  the  requirements 
of  employee  position  description. 

B.  Review  the  reasonableness  of  OLMT  access  on 
a  periodic  basis. 

We  concur  with  both  recommendations.  Prior  to  the  audit 
Montana  Lottery  Security  had  the  approval  responsibilities 
for  our  staff  on  OLMT.  We  also  had  the  AWI  employee  access 
information  available  to  us.  During  the  audit  we  began 
reviews  of  AWI  employee  access  needs  based  on  job 
requirements.  That  will  continue  with  a  further  review  on 
a  periodic  basis. 

Recommendation  #12 

We  recommend  the  Montana  Lottery  esteiblish  an  external 
evaluation  process  to  ensure  the  security  of  AWI's 
computer  system. 

We  concur  with  your  recommendation.  The  Montana  Lottery 
will  develop  a  process  of  external  evaluation  concerning 
AWI's  computer  system  and  have  it  in  place  by  September, 
1994. 

Recommendation  #13 

We  recommend  the  Montana  Lottery  establish  and  implement 
a  computer  security  training  plan  and  program  for  security 
personnel. 

We  concur  with  your  recommendation.  We  will  adopt  a 
computer  security  training  program  and  have  it  in  operation 
by  January  of  1995. 
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Thank  you  again  for  the  opportunity  to  respond.  We  hope 
that  we  can  count  on  you  and  the  resources  of  your  office 
to  answer  questions  and  provide  additional  information. 
We  appreciate  the  constructive  manner  in  which  this  audit 
was  conducted.  If  you  have  questions  regarding  any  of  our 
comments  please  don't  hesitate  to  call  me. 

Respectfully  submitted, 


rohn  0ns tad 
Director  of  Security 
Montana  Lottery 

cc:   Charmaine  Murphy,  Director 
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